← 返回 Skills 市场
363
总下载
0
收藏
7
当前安装
1
版本数
在 OpenClaw 中安装
/install security-review
功能描述
Run a world-class security assessment before installing any external package, CLI, npm module, Python library, or third-party integration. Produces a GO/NO-G...
使用说明 (SKILL.md)
\r \r
Security Review Skill\r
\r
Trigger\r
Run this skill BEFORE installing ANY external package, tool, CLI, npm module, Python library, browser extension, or third-party integration.\r \r No exceptions. "Open source" is not a security clearance.\r \r
What This Skill Does\r
Spawns a security review sub-agent that performs a world-class, current-intelligence security assessment and produces a GO / NO-GO / CONDITIONAL verdict.\r \r
How to Use\r
\r
1. Spawn the review agent\r
sessions_spawn with model: anthropic/claude-sonnet-4-6, task: [security review prompt below]\r
```\r
\r
### 2. Standard Review Prompt Template\r
Fill in [PACKAGE NAME], [INSTALL COMMAND], [DESCRIPTION], [SOURCE URL]:\r
\r
```\r
You are a world-class security analyst. Perform a comprehensive security review before installation.\r
\r
PACKAGE: [PACKAGE NAME]\r
Source: [GitHub URL or npm/pypi link]\r
Install: [INSTALL COMMAND]\r
Description: [what it claims to do]\r
\r
Cover ALL 7 sections:\r
\r
1. LEGITIMACY & TRUST SIGNALS\r
- Author/maintainer: GitHub profile, history, reputation\r
- Stars, forks, contributors, last commit\r
- Red flags: new account, copied code, suspicious activity\r
\r
2. LATEST SECURITY INTELLIGENCE (USE web_search)\r
Search: "[name] security vulnerability", "[name] malware", "[name] CVE",\r
"[name] data exfiltration", "[author] security issues", HackerNews/Reddit discussions\r
\r
3. SOURCE CODE ANALYSIS (USE web_fetch on raw GitHub files)\r
- What does the entry point actually do?\r
- Network calls — to where?\r
- File system access beyond documented scope?\r
- Obfuscated code?\r
- npm/pip dependencies — any known-bad?\r
\r
4. DATA FLOW ANALYSIS\r
- What data does it access? (conversations, files, env vars, API keys)\r
- Where does data go? Local only or external?\r
- Telemetry/analytics present?\r
- Exfiltration risk for workspace content?\r
\r
5. PERMISSION SCOPE\r
- System access required\r
- Network access?\r
- Touches env vars or config files?\r
- Can it interfere with other processes?\r
\r
6. DEPENDENCY RISK\r
- Full dependency list\r
- Any known-vulnerable deps?\r
- Recent supply chain attacks on dependencies?\r
\r
7. VERDICT\r
GO / NO-GO / CONDITIONAL\r
- Confidence: High/Medium/Low\r
- Top 3 specific risks\r
- If CONDITIONAL: exact conditions required before install\r
\r
Write complete review to:\r
C:\Users\hhx-sandbox2\.openclaw\workspace\logs\security-review-[package-name]-[YYYY-MM-DD].md\r
\r
Verify file exists and is complete before reporting done.\r
```\r
\r
### 3. Read the output\r
After the sub-agent completes, read the file and surface the verdict to Marcus.\r
\r
### 4. Marcus decides\r
Present the verdict clearly. Never install without explicit Marcus approval after a GREEN or CONDITIONAL review.\r
\r
## Standing Rules\r
\r
- **NO install without a completed security review** — not even "quick" ones\r
- **Web search is mandatory** — latest CVEs and community reports must be checked\r
- **Source code must be read** — not just the README\r
- **All reviews logged** to `logs/security-review-[package]-[date].md`\r
- **MEMORY.md updated** with verdict after each review\r
\r
## Review Log Index\r
| Date | Package | Verdict | File |\r
|------|---------|---------|------|\r
| 2026-03-04 | claude-subconscious | Pending | logs/security-review-claude-subconscious-2026-03-04.md |\r
安全使用建议
This skill appears to do what it says, but check a few things before installing/using it: (1) The SKILL.md writes results to a hard-coded Windows path (C:\Users\hhx-sandbox2\.openclaw\...) — replace that with a cross-platform workspace variable or confirm the path is correct and private. (2) It spawns a sub-agent (sessions_spawn) and requests use of web_search/web_fetch; ensure your agent policies limit what that sub-agent can do (it should not be allowed to auto-install packages or exfiltrate data). (3) The skill asks you to update MEMORY.md — verify whether persistent memory writes are acceptable in your environment. (4) The template forces a specific model (anthropic/claude-sonnet-4-6); confirm that model is available or adjust to a supported model. If you accept those caveats and restrict the sub-agent's permissions and storage location, the skill is coherent and appropriate for pre-install reviews. If you cannot limit file writes or sub-agent capabilities, treat it with caution.
功能分析
Type: OpenClaw Skill
Name: security-review
Version: 1.0.0
The 'security-review' skill is a defensive utility designed to automate security assessments of third-party packages before installation. It uses standard tools (web_search, web_fetch, sessions_spawn) to analyze source code, check for CVEs, and evaluate maintainer reputation. While it contains a hardcoded file path (C:\Users\hhx-sandbox2\...) specific to a particular environment in SKILL.md, there is no evidence of malicious intent, data exfiltration, or unauthorized execution.
能力评估
Purpose & Capability
Name/description (security review) match the instructions: the SKILL.md requires web_search and web_fetch and instructs source-code and CVE review. Asking to spawn a review sub-agent is reasonable for an in-depth assessment.
Instruction Scope
Instructions are explicit and narrowly scoped to security review tasks (legitimacy checks, web searches, raw source fetch, dependency analysis, data flow). However the skill mandates writing the review to a specific absolute Windows path and updating MEMORY.md, which is platform-specific and implies filesystem writes and persistent agent memory updates—things you should confirm are acceptable.
Install Mechanism
Instruction-only skill with no install steps or third-party downloads. Lowest install risk.
Credentials
No environment variables, credentials, or config paths are requested by the skill. The review process explicitly says to check for packages accessing env vars/API keys, which is appropriate for a security review.
Persistence & Privilege
always:false (good). The skill instructs spawning a sub-agent (sessions_spawn) and writing logs into the agent workspace and updating MEMORY.md — this requires file-write privileges and allows the review agent to act and persist findings. Confirm you are comfortable granting these capabilities to the agent and that the sub-agent is not given any install/autonomy beyond the review task.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-review - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-review触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
World-class security assessment before any install. Source code analysis, CVE search, data flow review. GO/NO-GO/CONDITIONAL verdict.
元数据
常见问题
Security Review 是什么?
Run a world-class security assessment before installing any external package, CLI, npm module, Python library, or third-party integration. Produces a GO/NO-G... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 363 次。
如何安装 Security Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-review」即可一键安装,无需额外配置。
Security Review 是免费的吗?
是的,Security Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security Review 支持哪些平台?
Security Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Review?
由 mpbshhx(@mpbshhx)开发并维护,当前版本 v1.0.0。
推荐 Skills