← 返回 Skills 市场
Security Scan
作者
ShadowLoong
· GitHub ↗
· v1.0.0
· MIT-0
660
总下载
0
收藏
12
当前安装
1
版本数
在 OpenClaw 中安装
/install security-scan
功能描述
Security review workflow for OpenClaw skills and other small code folders. Use when auditing a skill before publishing or installing it, checking for dangero...
使用说明 (SKILL.md)
Security Scan
Perform a lightweight security review before trusting, publishing, or installing a skill.
What this skill does
Use this skill to:
- inspect a skill directory for obviously dangerous code patterns
- look for likely hardcoded credentials or tokens
- flag risky file permissions
- produce a concise risk summary with recommended next steps
This skill is intentionally conservative and lightweight. Treat findings as review signals, not proof of compromise.
What this skill does not do
Do not claim capabilities that are not present in the bundled resources.
This skill does not provide:
- true sandbox execution
- system call tracing
- network traffic capture
- dependency CVE resolution from external databases
- automatic approval or rejection logic
If deeper reverse engineering or threat analysis is needed, do a manual review and use stronger external tooling.
Bundled resource
scripts/scan.sh
Run the included shell scanner for a quick static pass:
bash scripts/scan.sh /path/to/target
The script currently checks for:
- suspicious function names such as
eval(,exec(,system(, andspawn( - simple hardcoded-secret patterns
- world-writable files
Because the script uses grep-style heuristics, expect both false positives and false negatives.
Recommended workflow
1. Scope the review
Confirm what you are reviewing:
- target directory
- whether it is a skill, script bundle, or general code folder
- whether the goal is publish review, install review, or a quick sanity check
2. Run the quick scan
From the skill directory:
bash scripts/scan.sh /path/to/target
If the target is the current directory:
bash scripts/scan.sh .
3. Review the findings manually
Do not stop at raw matches. Inspect the surrounding code and decide whether each finding is:
- expected and justified
- suspicious but explainable
- high-risk and likely unacceptable
Pay special attention to:
- shell execution that touches untrusted input
- outbound network access
- credential handling
- writes outside the working directory
- self-modifying or persistence-oriented behavior
4. Give a practical verdict
Summarize the result in plain language using a simple rubric:
- Low risk: no meaningful issues found in this lightweight review
- Needs review: suspicious patterns or ambiguous findings require manual inspection before trust
- High risk: clear dangerous behavior, likely secrets, or unjustified execution patterns
5. Recommend next actions
Examples:
- publish/install as-is
- publish/install only after removing a flagged pattern
- rotate exposed credentials
- request source clarification from the author
- escalate to deeper manual or sandboxed analysis
Reporting pattern
Use a compact structure like this:
Security scan summary
- Target: \x3Cpath>
- Result: Low risk | Needs review | High risk
- Findings:
- \x3Cfinding 1>
- \x3Cfinding 2>
- Confidence: Low | Medium | High
- Recommended action: \x3Cnext step>
Triage guidance
Usually high risk
- obvious credential material checked into the repo
- hidden or unjustified command execution
- code that downloads and runs remote content
- writes to sensitive locations without a clear reason
Usually medium risk
- use of shell execution with unclear input handling
- overly broad file permissions
- suspicious obfuscation or encoded payloads
- installer/update logic that is hard to verify quickly
Usually low risk
- benign matches in docs or examples
- helper scripts that use shell commands in a narrow, understandable way
- false positives from regex scanning
Practical cautions
- Prefer a short, evidence-based verdict over dramatic claims.
- Quote the matched lines or file paths when useful.
- If confidence is low, say so explicitly.
- Do not claim the scan is comprehensive.
- For publish decisions, err on the side of requiring cleanup when the skill still contains templates, TODOs, placeholder claims, or unverified commands.
安全使用建议
This appears to be a legitimate, lightweight static scanner. Before running it, inspect scripts/scan.sh yourself (it's short and included) and run the scan on a copy or controlled checkout of the target if the target contains sensitive data. Understand this tool is intentionally limited: it will produce false positives and false negatives and does not perform dynamic or network analysis. If the scan finds potential secrets or dangerous calls, manually inspect the surrounding code, rotate any exposed credentials, and escalate to sandboxed/dynamic analysis or human review for high-risk findings.
功能分析
Type: OpenClaw Skill
Name: security-scan
Version: 1.0.0
The skill is a legitimate security auditing tool designed for lightweight static analysis of code directories. The shell script `scripts/scan.sh` uses standard, non-destructive commands (grep and find) to identify potentially dangerous functions, hardcoded API keys, and insecure file permissions. The instructions in `SKILL.md` are well-structured, align with the stated purpose, and provide safe guidance for an AI agent to perform manual security reviews without any evidence of malicious intent or prompt injection.
能力评估
Purpose & Capability
Name/description match the included resources: a lightweight static scanning workflow and a small shell script that searches a target directory for dangerous calls, hardcoded-secret patterns, and world-writable files. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
SKILL.md limits the agent to running the bundled script against a user-specified target and to manual triage of results. The script only reads files under the provided target path and emits findings; it does not contact external endpoints, write outside the target, or reference environment variables beyond the target parameter.
Install Mechanism
No install spec — instruction-only with one small included shell script. Nothing is downloaded or placed into system locations. This is low-risk and proportionate for the stated purpose.
Credentials
The skill declares no required environment variables or credentials. The script contains regexes to detect some common API key formats (e.g., Google API key prefix, OpenAI sk-), which is expected behavior for a secrets scanner. No unrelated secrets or broad credential access are requested.
Persistence & Privilege
always:false and no code that modifies other skills or global agent settings. The skill can be invoked by the agent (normal default); it does not request permanent presence or elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-scan - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-scan触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the security-scan skill.
- Provides a lightweight security review workflow for OpenClaw skills and small code folders.
- Scans for dangerous code patterns, likely hardcoded secrets, and risky file permissions using a shell script.
- Produces concise risk summaries with recommended next steps.
- Designed for quick, static reviews and cautious go/no-go recommendations; not a replacement for deep malware analysis.
- Includes clear guidance on interpreting results and making practical security decisions.
元数据
常见问题
Security Scan 是什么?
Security review workflow for OpenClaw skills and other small code folders. Use when auditing a skill before publishing or installing it, checking for dangero... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 660 次。
如何安装 Security Scan?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-scan」即可一键安装,无需额外配置。
Security Scan 是免费的吗?
是的,Security Scan 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security Scan 支持哪些平台?
Security Scan 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Scan?
由 ShadowLoong(@shadowloong)开发并维护,当前版本 v1.0.0。
推荐 Skills