← 返回 Skills 市场
S³ Security Audit
作者
Solomon Neas
· GitHub ↗
· v1.0.0
· MIT-0
242
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install s3-security-audit
功能描述
Run security audits on codebases using static analysis, dependency scanning, and manual code review patterns. Covers OWASP Top 10, secrets detection, depende...
安全使用建议
This instruction-only skill mostly does what it claims (local static checks and dependency scans), but note two important caveats: (1) the registry metadata omits required binaries (grep/find/sed, npm, pip), so ensure the executing environment has those tools before use; (2) the SKILL.md will try to install tooling at runtime (e.g., 'pip install pip-audit') and run network queries (npm audit/pip-audit), which introduces supply-chain and network exposure risks. Before installing or running: run the commands manually or inside an isolated container/VM, review and pin any packages that would be installed, avoid running against repositories with live secrets unless in a controlled environment, and consider using curated, signed scanner binaries or your organization's approved security tools instead of allowing implicit installs.
功能分析
Type: OpenClaw Skill
Name: s3-security-audit
Version: 1.0.0
The skill bundle provides a comprehensive set of instructions and shell commands for performing static security audits on codebases, including secrets detection, dependency scanning, and vulnerability pattern matching using grep. The logic is transparent, uses standard security tools (like pip-audit and npm audit), and aligns perfectly with its stated purpose without any signs of data exfiltration, malicious execution, or prompt injection.
能力评估
Purpose & Capability
The SKILL.md describes a security-audit tool that performs local static checks and dependency scans, which matches the name/description. However the registry metadata declares no required binaries or env vars while the instructions assume common CLI tools (find, grep, sed), language toolchains (npm, pip) and optional scanners (pip-audit, npm audit). This mismatch between declared requirements and actual runtime expectations is an incoherence a user should be aware of.
Instruction Scope
Instructions perform broad local repository scans (searching for .env, *.pem, keys, and secret-like patterns) which is expected for auditing, but they also include commands that will attempt to install tooling at runtime (e.g., 'pip install pip-audit'). Installing packages and running network-backed audits (npm audit, pip-audit) are side effects with network/supply-chain implications. The guidance otherwise stays within the audit scope and does not instruct exfiltration or posting results externally.
Install Mechanism
There is no formal install spec in the registry (instruction-only), yet the SKILL.md contains an implicit install step ('pip install pip-audit') and expects npm/pip to be present. Implicit runtime installs are higher risk than an explicit vetted install spec because they pull code from package registries at execution time and may alter the agent environment.
Credentials
The skill requests no environment variables or credentials in metadata. The audit scripts search for secret patterns (AWS-like tokens, private keys) within the repository which is appropriate for a security audit and does not itself request unrelated external credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system/service configuration changes. It does not attempt to modify other skills or global agent settings in the provided instructions.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install s3-security-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/s3-security-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the security-audit skill for codebase security assessments.
- Provides structured methodology adapted from Trail of Bits for comprehensive code security audits.
- Covers static analysis, secrets detection, dependency scanning, and infrastructure misconfigurations.
- Includes command-line snippets for automated security checks focused on OWASP Top 10 risks.
- Offers a clear report template for summarizing findings and recommendations.
- Lists limitations, emphasizing the need for manual review and highlighting the scope of automated checks.
元数据
常见问题
S³ Security Audit 是什么?
Run security audits on codebases using static analysis, dependency scanning, and manual code review patterns. Covers OWASP Top 10, secrets detection, depende... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 242 次。
如何安装 S³ Security Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install s3-security-audit」即可一键安装,无需额外配置。
S³ Security Audit 是免费的吗?
是的,S³ Security Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
S³ Security Audit 支持哪些平台?
S³ Security Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 S³ Security Audit?
由 Solomon Neas(@solomonneas)开发并维护,当前版本 v1.0.0。
推荐 Skills