← 返回 Skills 市场
342
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-audit-modeio
功能描述
Runs a deterministic static safety audit for third-party AI skill or plugin repositories before install or execution. Use when asked to scan a skill repo, as...
安全使用建议
This skill is a static auditor and appears to do what it says: read the target repository, run deterministic pattern-based scans, and optionally call GitHub OSINT. Before running: (1) Understand that the scanner will read all scanned files in the target repo (it does not execute target-repo code), so do not point it at repos that contain private secrets you don't want read. (2) If you enable GitHub OSINT or provide a GITHUB_TOKEN, the tool may make API/network calls; only provide credentials if you trust the tool and want higher rate limits. (3) The code uses git (if available) to get commit SHA—this is optional but expected. (4) If you need absolute assurance, review the run_github_osint_precheck and any network-calling functions before giving network access or a token. Overall the skill is internally consistent and proportionate for a repository safety auditor.
功能分析
Type: OpenClaw Skill
Name: skill-audit-modeio
Version: 0.1.0
The skill bundle is a comprehensive static analysis tool designed to perform security audits on third-party AI skills and repositories. It implements a multi-layered scanning engine (in `modeio_skill_audit/skill_safety/`) that detects prompt injection, shell execution risks, secret exfiltration patterns, and supply chain vulnerabilities using deterministic regex-based rules. While the tool performs network requests to the GitHub API for OSINT reputation checks (`repo_intel.py`) and utilizes `subprocess` for Git metadata, these actions are strictly aligned with its documented purpose as a security scanner and do not exhibit signs of malicious intent or unauthorized data exfiltration.
能力评估
Purpose & Capability
The name/description (static pre-install audit) matches the code and CLI: it walks a target repo, performs layered static scans (AST/patterns/prompt checks/secret checks/supply-chain checks), computes hashes, and optionally performs a GitHub OSINT precheck. Required resource list is minimal (python3). The README notes optional 'git' and optional 'GITHUB_TOKEN' for improved OSINT; these map to code usage (git subprocess call, GitHub API).
Instruction Scope
SKILL.md and CLI instruct the agent to scan a provided target repo and to not execute target-repo code; the implementation appears to respect that (it reads files, computes hashes, and pattern-scans). The engine will (optionally) call GitHub OSINT when the repo has a GitHub origin and will invoke git to obtain commit SHA if available. There is no instruction to read system files outside the target repo, to access unrelated environment variables, or to transmit secrets; however network calls to GitHub (OSINT) are performed when applicable.
Install Mechanism
No install spec is provided (instruction-only skill), which minimizes install-time risk. The package does include many Python source files bundled in the skill archive; executing the CLI requires running these Python files locally under python3. No downloads from untrusted URLs or archive extraction steps are present in the manifest.
Credentials
The skill declares no required environment variables and only requires python3. SKILL.md explicitly lists optional enhancements: git (optional) and GITHUB_TOKEN (optional for higher API rate limits). That is proportionate for a repo-auditor that performs a GitHub precheck. The code does invoke subprocess to call git (git_commit_sha) and may make HTTP requests during OSINT; those are expected. There are no unexplained SECRET/TOKEN/PASSWORD requirements.
Persistence & Privilege
The skill is not always:true, is user-invocable, and does not request permanent presence or elevated system-wide privileges. It does not attempt to modify other skills or system configs as part of its normal flow.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-audit-modeio - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-audit-modeio触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of skill-audit-modeio.
- Runs static, deterministic safety audits for third-party AI skill and plugin repositories before install or execution.
- Provides commands for audit evaluation, prompt generation, evidence validation, and merge adjudication without executing code.
- Excludes maintainer-only benchmarks and validation assets from public uploads.
- Requires Python 3; optionally supports git and GitHub tokens for enhanced metadata and rate-limiting.
- Designed to help users assess repository safety with evidence-backed, reproducible findings.
元数据
常见问题
Skill Audit 是什么?
Runs a deterministic static safety audit for third-party AI skill or plugin repositories before install or execution. Use when asked to scan a skill repo, as... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 342 次。
如何安装 Skill Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-audit-modeio」即可一键安装,无需额外配置。
Skill Audit 是免费的吗?
是的,Skill Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Audit 支持哪些平台?
Skill Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Audit?
由 modeioai(@modeioai)开发并维护,当前版本 v0.1.0。
推荐 Skills