← 返回 Skills 市场
SafeHub
作者
sumeetghimire
· GitHub ↗
· v1.0.2
380
总下载
0
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install safehub
功能描述
Scan OpenClaw skills for malware and security issues before installation. Use when the user wants to verify a skill is safe, audit a ClawHub skill, or check...
安全使用建议
SafeHub's implementation is coherent with its stated purpose, but pay attention to these practical risks before installing or running it: (1) The 'update' command will fetch and overwrite the scanner's rule files from whatever GitHub repo you point it at — only use a rules repo you trust, and avoid running update against unknown forks. (2) The Docker sandbox runs the target read-only with no network, but the code does not actually instrument or report detailed runtime behavior (networkAttempted and sensitiveReads are not detected), so do not rely solely on the sandbox to prove safety. (3) Cached reports are stored in ~/.safehub and a Docker named volume may be created; review/delete these if they contain sensitive metadata. (4) Because the tool executes git clone on GitHub URLs and starts containers via the Docker daemon, run SafeHub in an isolated environment (or inspect the code locally) if you are scanning untrusted repos. If you plan to rely on SafeHub's results, review scanner/static.js and scanner/scorer.js to understand exactly what patterns are detected and how the trust score is computed.
功能分析
Type: OpenClaw Skill
Name: safehub
Version: 1.0.2
SafeHub is a security scanner that contains a critical shell injection vulnerability in lib/resolve.js, where a GitHub URL is passed directly into execSync for a git clone operation without sufficient sanitization. Additionally, the update command in commands/update.js allows the tool to fetch and overwrite local rule files from an arbitrary GitHub repository (controlled by the SAFEHUB_RULES_REPO environment variable), which could be leveraged to manipulate scan results or potentially exploit the host. While the tool implements a restrictive Docker sandbox for dynamic analysis, these architectural flaws and the remote-update mechanism pose a significant security risk.
能力评估
Purpose & Capability
Name/description match the implementation: it runs Semgrep-based static analysis and an optional Docker sandbox. Required binaries (node, semgrep, git) are proportional to the declared purpose. Dependencies (commander, dockerode) are reasonable for a CLI that can control Docker.
Instruction Scope
SKILL.md and code keep scope mostly limited to scanning. However: (1) the sandbox implementation simply runs the target in a container but does not instrument or capture network attempts/sensitive reads (sandboxResult fields are always empty unless an error occurs), so the claimed behavioral observation is misleading; (2) the updater will fetch and overwrite local rule files from any GitHub repo specified via SAFEHUB_RULES_REPO — this gives an external source control over the scanner's detection logic and must be treated as a privileged operation; (3) cached reports are written to ~/.safehub (may contain metadata about findings). All env vars that code reads are documented in SKILL.md.
Install Mechanism
No install spec is declared (installation is expected via ClawHub or npm), so nothing arbitrary is downloaded during install. The only runtime network downloads are GitHub API/raw requests in the update command which use well-known GitHub endpoints. No URL shorteners or personal servers are used. The code bundle contains source files, so auditable locally.
Credentials
No secret credentials are requested. Optional environment variables are reasonable (rules repo, branch, data dir, sandbox image, timeout). The main concern: SAFEHUB_RULES_REPO lets a user point the updater at any repo; if an attacker (or the user unknowingly) points this at a malicious fork, SafeHub will overwrite its local rule set with those files — potentially suppressing warnings or producing false-safe results. SAFEHUB_DATA_DIR defaults to ~/.safehub and stores cached reports; that persistent storage should be considered when scanning sensitive code.
Persistence & Privilege
always is false and the skill does not request platform-wide privileges. It creates/uses a persistent cache directory (~/.safehub) and may create a Docker named volume 'safehub_tmp', which can persist between runs. It does not modify other skills' configs. The ability to overwrite ./rules in the skill directory via update is a form of self-modification (documented) and is privileged for the scanner's behavior.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install safehub - 安装完成后,直接呼叫该 Skill 的名称或使用
/safehub触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Docs: registry requirements, env vars, install/usage
v1.0.1
Security scanner for OpenClaw skills
元数据
常见问题
SafeHub 是什么?
Scan OpenClaw skills for malware and security issues before installation. Use when the user wants to verify a skill is safe, audit a ClawHub skill, or check... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 380 次。
如何安装 SafeHub?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install safehub」即可一键安装,无需额外配置。
SafeHub 是免费的吗?
是的,SafeHub 完全免费(开源免费),可自由下载、安装和使用。
SafeHub 支持哪些平台?
SafeHub 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。
谁开发了 SafeHub?
由 sumeetghimire(@sumeetghimire)开发并维护,当前版本 v1.0.2。
推荐 Skills