← 返回 Skills 市场
291
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install security-skiil-scanner
功能描述
Security vetting protocol before installing any AI agent skill. Red flag detection for credential theft, obfuscated code, exfiltration. Risk classification L...
安全使用建议
This skill mostly looks like a legitimate vetting checklist and quick-commands guide, but there are red flags that justify caution:
- Metadata mismatches: the registry name/slug/owner differ from SKILL.md/_meta.json/README. That could be a packaging mistake or an attempt to masquerade as another skill — verify the correct author and slug before installing.
- Undeclared dependency: the docs call 'clawhub install' but 'clawhub' is not listed in required binaries. Ensure you have the expected CLI tools and understand what the script will run.
- Scope: the vetter tells the agent to download and 'cat' all files in a repo; that will expose any secrets embedded in the package being inspected. That is expected for vetting, but you should not run it against packages you don't trust or that might contain sensitive files.
Recommended actions before installing:
1) Manually verify the skill’s source (author account, repo URL, ClawHub verified badge). Confirm ownerId/slug match the publisher.
2) Run the vetting commands yourself in a controlled environment (container or VM) rather than allowing an agent to run them autonomously.
3) Add 'clawhub' to your checklist of prerequisites if you plan to follow the SKILL.md instructions, or modify the instructions to use only declared tools.
4) If you need high assurance, refuse installation until the metadata inconsistencies are resolved and the publisher identity is confirmed.
功能分析
Type: OpenClaw Skill
Name: security-skiil-scanner
Version: 1.0.0
This skill is a security vetting tool designed to help an AI agent identify malicious code, data exfiltration, and prompt injection attempts in *other* skills. While it instructs the agent to use powerful commands like `curl` and `clawhub install` (to a temporary directory), these actions are explicitly for the purpose of analyzing external skills, not for self-exploitation or malicious behavior by this skill itself. The `SKILL.md` clearly outlines red flags to look for and provides examples of malicious code as illustrations, not as code to be executed by the vetting skill. Its purpose is to enhance security, not compromise it.
能力评估
Purpose & Capability
The SKILL.md describes a vetting tool that needs network checks (GitHub/ClawHub) and text inspection; requiring curl and jq is consistent. However there are incoherences: the registry lists this package as 'security-skiil-scanner' while SKILL.md and README call it 'skill-vetter' / 'openclaw-skill-vetter'; _meta.json slug/ownerId differ from the registry metadata. The README/SKILL.md also instructs use of the 'clawhub' CLI but 'clawhub' is not declared in required binaries.
Instruction Scope
Instructions explicitly direct the agent to download repos, list and cat all skill files, and call GitHub APIs — actions that are appropriate for a vetting tool. This scope is broad (it tells the agent to 'read ALL files' in a fetched package), which is expected for vetting but will reveal any secrets embedded in the inspected repo. The instructions do not request secrets or system credentials, but they do instruct network access to GitHub/ClawHub domains.
Install Mechanism
No install spec (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install model and matches the skill being a guidance/protocol document.
Credentials
The skill requests no environment variables or credentials (primaryEnv none). That is proportionate to a vetting/protocol skill. It will, however, instruct network calls which are necessary for its checks.
Persistence & Privilege
always:false and default model invocation are in place. The skill does not request permanent elevated privileges or to modify other skills' config. Autonomous invocation is allowed by default (not flagged here) but combine with other concerns when deciding to allow autonomous runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install security-skiil-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/security-skiil-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Security Skill Scanner – skill-vetter.
- Provides a systematic security vetting protocol for AI agent skills before installation.
- Detects red flags such as credential theft, obfuscated code, and unauthorized exfiltration.
- Classifies risk as LOW, MEDIUM, HIGH, or EXTREME, with clear install recommendations.
- Includes detailed checklists and report templates for consistent vetting.
- Supports vetting for skills from ClawHub and GitHub; includes practical code review commands.
- Strongly advises never installing untrusted skills without running this process first.
元数据
常见问题
security-skiil-scanner 是什么?
Security vetting protocol before installing any AI agent skill. Red flag detection for credential theft, obfuscated code, exfiltration. Risk classification L... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 291 次。
如何安装 security-skiil-scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install security-skiil-scanner」即可一键安装,无需额外配置。
security-skiil-scanner 是免费的吗?
是的,security-skiil-scanner 完全免费(开源免费),可自由下载、安装和使用。
security-skiil-scanner 支持哪些平台?
security-skiil-scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。
谁开发了 security-skiil-scanner?
由 firebroo(@firebroo)开发并维护,当前版本 v1.0.0。
推荐 Skills