← 返回 Skills 市场
kennyzir

security scanner

作者 claw0x · GitHub ↗ · v1.0.7 · MIT-0
cross-platform ⚠ suspicious
259
总下载
0
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install security-scanner-plus
功能描述
Scan AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions. Three-layer analysis: dependency CVE scanning, static...
安全使用建议
This skill forwards provided repo URLs or code to the Claw0x Gateway (https://api.claw0x.com). That behavior matches its purpose but has privacy implications: do not send secrets, credentials, or private data you cannot share. Before installing, verify you trust Claw0x (review privacy/security docs), use a dedicated/limited API key, rotate the key if leaked, and prefer a local scanner for highly sensitive code. Review the included handler.ts (it only reads CLAW0X_API_KEY and POSTs the input) and consider network controls (allowlist api.claw0x.com) and logging to detect unexpected usage.
功能分析
Type: OpenClaw Skill Name: security-scanner-plus Version: 1.0.7 The skill acts as a wrapper for an external third-party service, requiring a 'CLAW0X_API_KEY' and sending user-provided source code or repository URLs to a remote endpoint (api.claw0x.com) for processing, as seen in handler.ts. While this behavior is consistent with the stated purpose of a security scanner in SKILL.md, the exfiltration of potentially sensitive source code to a 'black box' API represents a high-risk data handling practice. There is no evidence of local malicious logic, but the reliance on an external service for code analysis poses significant privacy and security risks.
能力评估
Purpose & Capability
Name/description state it will scan skills for vulnerabilities and undeclared permissions; the SKILL.md and handler.ts implement exactly that by calling the Claw0x Gateway API. Requested artifacts (repo_url, skill_slug, code) and the single required env var (CLAW0X_API_KEY) match the stated purpose.
Instruction Scope
Runtime instructions and examples consistently instruct the agent to POST skill data (repo URL or code) to https://api.claw0x.com/v1/call. There are no instructions to read unrelated local files or other environment variables. This is expected, but it does mean user code/metadata will be sent to a third-party service — a privacy-sensitive action that the user should be aware of.
Install Mechanism
Instruction-only skill with no install spec. The included handler.ts is a small network wrapper (uses fetch) and does not write to disk or download/extract remote archives. Low installation risk.
Credentials
Only CLAW0X_API_KEY is required (declared in SKILL.md metadata and enforced by handler.ts). That single credential is proportional to a remote service wrapper. Users should still treat the key as sensitive because it authorizes requests that may transmit code to the external API.
Persistence & Privilege
always is false and the skill does not request elevated privileges, nor does it modify other skills or global agent config. Model invocation is allowed (the platform default), which is appropriate for a callable scanner.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install security-scanner-plus
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /security-scanner-plus 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.7
No user-facing changes in this release. - Version bumped to 1.0.7. - No code or documentation changes detected.
v1.0.6
Security-scanner-plus v1.0.6 changelog: - SKILL.md completely rewritten for clarity, conciseness, and practical usage guidance. - Added "Quick Reference", "5-Minute Quickstart", "Real-World Use Cases", and "Integration Recipes" sections for faster onboarding. - Removed mentions of GITHUB_TOKEN from required environment variables. - Updated description, examples, and API usage to reflect latest scan flow and endpoint: https://api.claw0x.com/v1/call. - Improved documentation on code, dependency, and permission scanning, with actionable example workflows for CI/CD, marketplaces, and pre-commit hooks. - No changes to code logic; documentation update only.
v1.0.5
- Added GITHUB_TOKEN as a required environment variable in addition to CLAW0X_API_KEY. - No other changes to features, usage, or output.
v1.0.4
v1.0.4 of security-scanner-plus - No file changes detected in this version. - Functionality, documentation, and metadata remain unchanged.
v1.0.3
- Clarified and reworded descriptions for static code analysis rules and input modes for improved readability. - Enhanced explanations of mutually exclusive input options (repo_url, skill_slug, code) for accuracy and clarity. - Updated example sections for input and output to use more concise, consistent formatting. - Minor adjustments to permission auditing and when-to-use guidance to better reflect usage outside the Claw0x publishing context. - No functional or logic changes; documentation only.
v1.0.2
- Internal code files (including analyzers and rule definitions) were removed. - The skill now depends entirely on the remote API; local scanning logic is no longer included. - No changes to user-facing API, input modes, or documentation. - Functionality, usage, and output remain unchanged for users.
v1.0.1
**Major restructuring: Full rewrite with expanded documentation, new input/output structure, and internal modularization.** - Complete internal refactor with new modular files for code analysis, dependency scanning, risk scoring, reporting, and permission auditing. - Unified documentation now covers detailed scanning methodology, risk scoring, all detectors, example inputs/outputs, and precise API usage. - Expanded input options: direct code, GitHub repo, or Claw0x skill slug. - Output format enhanced: includes detailed scan findings, scoring breakdown, recommendation list, timing, and expanded permission audit. - Tool is still free, but now clearer on prerequisites and API key handling.
v1.0.0
security-scanner 1.0.0 - Initial public release. - Provides three-layer security scanning for AI agent skills: dependency CVE checks, code analysis for dangerous patterns, and permission audits. - Generates a structured risk report with a 0–100 score. - Supports scanning via direct code, GitHub repo URL, or registered skill slug. - Free to use;
元数据
Slug security-scanner-plus
版本 1.0.7
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 8
常见问题

security scanner 是什么?

Scan AI agent skills for security vulnerabilities, dangerous code patterns, and undeclared permissions. Three-layer analysis: dependency CVE scanning, static... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 259 次。

如何安装 security scanner?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-scanner-plus」即可一键安装,无需额外配置。

security scanner 是免费的吗?

是的,security scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

security scanner 支持哪些平台?

security scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 security scanner?

由 claw0x(@kennyzir)开发并维护,当前版本 v1.0.7。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论