← 返回 Skills 市场

Scopecheck

Name: Scopecheck
Author: mirni

作者 mirni · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

113

总下载

当前安装

版本数

在 OpenClaw 中安装

/install scopecheck

功能描述

Analyze an OpenClaw SKILL.md and extract its permission scope — what env vars, CLI tools, filesystem paths, and network URLs it accesses. Compares declared r...

安全使用建议

This skill appears coherent and low-risk: it runs a local FastAPI/uvicorn server and analyzes SKILL.md text you send it. Before installing or running it, consider: (1) start it locally or in a sandboxed environment so the server only binds to localhost/your network; (2) ensure pip installs are from PyPI and consider pinning package versions; (3) the SKILL.md metadata omits 'uvicorn' from declared bins even though the example invokes it — this is a documentation/metadata omission, not an active risk; (4) the README examples use curl and jq (not declared) — you only need those to follow the example, not for the skill internals; (5) the extractor regexes may over-match in edge cases (e.g., uppercase tokens that are not intended env vars), so review results before acting on them. If you want higher assurance, review the source files provided or run the server in an isolated environment.

功能分析

Type: OpenClaw Skill Name: scopecheck Version: 1.0.0 The 'scopecheck' skill is a static analysis utility designed to audit OpenClaw SKILL.md files for resource usage. It extracts and compares declared vs. detected environment variables, CLI tools, filesystem paths, and URLs using standard Python libraries (FastAPI, PyYAML, Pydantic). The code in scopecheck/app.py and scopecheck/extractors.py is transparent, follows its stated purpose, and contains no indicators of malicious behavior, data exfiltration, or intentional vulnerabilities.

能力评估

ℹ Purpose & Capability

The skill's name/description match its code: it parses SKILL.md and reports env vars, CLI tools, filesystem paths, and URLs. It declares python as a required binary and installs FastAPI/uvicorn via pip; however the runtime instructions invoke the uvicorn binary but 'uvicorn' is not listed in the declared bins frontmatter (the pip install will provide it). This is a minor mismatch (documentation/metadata omission) rather than a capability mismatch.

ℹ Instruction Scope

SKILL.md instructs running a local uvicorn server and shows a curl + jq example to POST SKILL.md content. The example references external CLI tools (curl, jq) that are not declared in the skill metadata; these are usage examples for the operator rather than actions the skill performs itself, but you should be aware the examples assume those tools exist. The analyzer itself only processes the provided SKILL.md text and does not read system files or env vars beyond parsing the submitted content.

✓ Install Mechanism

Install uses pip packages (fastapi, uvicorn, pydantic, pyyaml) via the declared install provider. These are standard packages from PyPI and no arbitrary external download URLs or extract/remote archives are used in the provided install spec.

✓ Credentials

The skill requests no environment variables and the code does not access runtime secrets. It only scans the submitted SKILL.md text for env-like tokens. No unrelated credentials are requested.

✓ Persistence & Privilege

always:false and normal model invocation settings. The skill does not modify other skills or system-wide agent settings and does not request persistent elevated privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install scopecheck
安装完成后，直接呼叫该 Skill 的名称或使用 /scopecheck 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Improved description for clarity and conciseness. - Updated metadata format and added emoji for better integration. - Revised installation instructions for clearer dependency management. - Simplified usage examples and response documentation. - Enhanced explanation of extracted fields and undeclared access detection.

v0.1.1

- Added OpenClaw metadata to SKILL.md with required binaries and install instructions. - Updated installation and usage instructions for clarity and consistency. - Changed server start example to use the new import path: uvicorn scopecheck.app:app. - Improved formatting and separated installation from usage steps.

v0.1.0

Initial release of ScopeCheck, a security tool for SKILL.md permission manifest analysis. - Extracts and summarizes environment variables, CLI tools, filesystem paths, and network URLs accessed by a skill. - Compares detected resource access with what is declared in SKILL.md. - Reports mismatches as undeclared access. - Provides both a hosted API and standalone server usage options. - Clear input and output schema are documented for easy integration.

元数据

Slug scopecheck

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Scopecheck 是什么？

Analyze an OpenClaw SKILL.md and extract its permission scope — what env vars, CLI tools, filesystem paths, and network URLs it accesses. Compares declared r... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 113 次。

如何安装 Scopecheck？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install scopecheck」即可一键安装，无需额外配置。

Scopecheck 是免费的吗？

是的，Scopecheck 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Scopecheck 支持哪些平台？

Scopecheck 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Scopecheck？

由 mirni（@mirni）开发并维护，当前版本 v1.0.0。