Security Audit Hand

自主安全审计 - 定期检查系统安全、发现风险、生成报告

This SKILL.md appears coherent for a local security auditor, but it will read configuration files and logs (which may contain API keys or other secrets) and run system/network commands. Before using it: (1) review the SKILL.md line-by-line so you understand what files and commands will be accessed; (2) run the audit in a controlled environment (non-root account or test host) if you are concerned about exposure; (3) back up and/or rotate any secrets that will be inspected if you aren't comfortable exposing them; (4) ensure results are stored locally and not automatically posted to external channels (the config mentions notify_channel like 'feishu' — configure or disable it); (5) be aware memory_recall may surface agent memory contents — remove or restrict that step if needed. Because the skill is instruction-only and makes no installs, the main risk is sensitive-data exposure through the audit steps rather than hidden code. If you want higher assurance, ask the author for an explicit privacy/exfiltration statement or run the procedure manually following the provided commands.

Type: OpenClaw Skill Name: security-audit-hand Version: 1.0.0 The skill is designed for security auditing, which involves legitimate checks. However, it explicitly instructs the agent to read potentially sensitive files like `~/.openclaw/.api-keys.md` and search `/tmp/openclaw/*.log` for API key patterns (`sk-`, `nvapi-`). While the stated purpose is to identify security risks, these commands directly expose sensitive API keys to the agent's processing context. Additionally, `curl ifconfig.me` makes an external network call to retrieve the public IP. These actions represent risky capabilities that could lead to data exposure, even without explicit instructions for malicious exfiltration, thus classifying it as suspicious.