← 返回 Skills 市场

Security Vulnerability Scanner

Name: Security Vulnerability Scanner
Author: honestqiao

作者 HonestQiao · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

1182

总下载

当前安装

版本数

在 OpenClaw 中安装

/install security-vuln-scanner

功能描述

扫描代码中常见安全漏洞如SQL注入、XSS、硬编码密码，提供检测结果和安全评分建议。

使用说明 (SKILL.md)

Security Vulnerability Scanner

扫描代码中的安全漏洞，提供修复建议。

功能

SQL 注入检测
XSS 跨站脚本检测
硬编码密码/密钥检测
不安全随机数检测
命令注入检测
敏感信息泄露检测
安全评分

触发词

"安全扫描"
"漏洞检测"
"security scan"
"vulnerability"

检测模式

const patterns = {
  sqlInjection: /query\s*\(\s*['"`].*\$\{/,
  xss: /innerHTML\s*=|document\.write/,
  hardcodedSecret: /password\s*=\s*['"][^'"]+['"]/,
  insecureRandom: /Math\.random\(\)/,
  commandInjection: /exec\s*\(\s*\$\{/
};

输出示例

{
  "vulnerabilities": [
    {
      "type": "sql_injection",
      "line": 42,
      "severity": "high",
      "message": "检测到SQL注入风险"
    }
  ],
  "score": 65
}

安全使用建议

This skill is a simple, local regex-based scanner that expects you to pass code as a string and returns pattern matches and a score. It does not request credentials or install software, so it is internally coherent. However, the detection rules are basic and JavaScript-centric — expect false positives and missed issues. Before relying on it for security decisions, review and extend its patterns for your languages, test it on known vulnerable/clean samples, and prefer established static analysis tools for critical codebases.

功能分析

Type: OpenClaw Skill Name: security-vuln-scanner Version: 1.0.0 The skill 'security-vuln-scanner' is designed to perform static analysis on provided code to detect common vulnerabilities like SQL injection, XSS, hardcoded secrets, and command injection using regex patterns. The code does not exhibit any malicious behavior such as data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts against the agent. Its functionality is clearly aligned with its stated purpose as a security scanner, and it does not introduce any high-risk operations like file system access or network communication.

能力评估

✓ Purpose & Capability

Name and description (static vulnerability scanning) match the provided runtime instructions and patterns. The skill is instruction-only and expects code as input (scan_vulnerabilities(code, language)), which is consistent with its purpose.

ℹ Instruction Scope

Instructions implement simple regex-based checks embedded in SKILL.md/skill.yaml and do not direct the agent to read files, environment variables, or external endpoints. Note: the scan is purely pattern matching (JavaScript-oriented patterns) and lacks guidance on how code is supplied or on multi-language support; this limits coverage and may produce false positives/negatives.

✓ Install Mechanism

No install spec or external downloads — lowest-risk configuration (instruction-only), nothing is written to disk by an installer.

✓ Credentials

The skill requests no environment variables, credentials, or config paths; this is proportionate for a static analyzer that operates on provided code strings.

✓ Persistence & Privilege

always is false and the skill does not request elevated or persistent privileges. Autonomous invocation is allowed by default but is not combined with any broad credential access or persistent modification.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install security-vuln-scanner
安装完成后，直接呼叫该 Skill 的名称或使用 /security-vuln-scanner 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of Security Vulnerability Scanner. - Scans code for common security vulnerabilities. - Detects SQL injection, XSS, hardcoded passwords/keys, insecure random, command injection, and sensitive information leaks. - Provides security score and specific remediation suggestions. - Triggered by phrases like "安全扫描", "漏洞检测", "security scan", and "vulnerability". - Outputs detailed vulnerability reports and scores for identified issues.

元数据

Slug security-vuln-scanner

版本 1.0.0

许可证 —

累计安装 5

当前安装数 4

历史版本数 1

常见问题