← 返回 Skills 市场
Openclaw Skill Scanner
作者
Jason O'Neal
· GitHub ↗
· v1.0.2
1013
总下载
2
收藏
1
当前安装
5
版本数
在 OpenClaw 中安装
/install skill-scanner-guard
功能描述
Security gate for OpenClaw AgentSkills. Scans folder/ClawHub skills with cisco-ai-defense/skill-scanner before installation. Supports manual scans, staged in...
安全使用建议
This skill does what it says: it runs a scanner and can auto‑quarantine skills with High/Critical findings. Before enabling it, consider: 1) it executes third‑party code (the scanner from the GitHub repo and npm packages via npx/uv), so you must trust those upstream projects; 2) it will move (quarantine) user skill directories when High/Critical findings occur — back up your ~/.openclaw/skills if you want a safety copy; 3) it expects 'uv' and 'npx' (and optionally systemd --user) to be available — install and test those first; 4) review the scanner's code/behavior (cisco-ai-defense/skill-scanner and any npm packages used) if you need a higher assurance level. If you are uncomfortable with automated moves, run the scripts manually in a staging environment first.
功能分析
Type: OpenClaw Skill
Name: skill-scanner-guard
Version: 1.0.2
This skill bundle is designed to enhance OpenClaw's security by acting as a 'skill scanner guard'. It orchestrates the use of an external `cisco-ai-defense/skill-scanner` tool to scan other OpenClaw skills for security issues, blocking or quarantining those with high-severity findings. All scripts (`auto_scan_user_skills.sh`, `clawhub_scan_install.sh`, `scan_and_add_skill.sh`, `scan_openclaw_skills.sh`) are transparently implemented, align with the stated defensive purpose, and include input sanitization for skill names and slugs. The `SKILL.md` instructions are clear and do not contain any prompt injection attempts. There is no evidence of intentional malicious behavior such as data exfiltration, unauthorized execution, or persistence mechanisms beyond its stated security function.
能力评估
Purpose & Capability
The name/description match the actual behavior: scripts clone/run a skill-scanner, scan user/builtin skills, and quarantine High/Critical findings. The declared runtime tooling in SKILL.md (uv, npx, git, systemctl) aligns with what the scripts call. One minor inconsistency: the registry metadata lists no required env vars, while SKILL.md references OPENCLAW_STATE_DIR and OPENCLAW_WORKSPACE_DIR (the scripts use these with sane defaults).
Instruction Scope
The scripts stay within the stated scope (scan directories, write reports, move failing skill dirs into a quarantine path). They do not read or transmit secrets or access unrelated system config. Important: they run third‑party tooling (uv run skill-scanner, npx clawhub) which executes code from the scanner repo / npm packages — this is expected for a scanner but increases the trust surface. The quarantine logic is careful to only move directories under the user's skills dir.
Install Mechanism
No formal install spec (instruction-only) — scripts instruct cloning the scanner repo from GitHub and using 'uv' and 'npx'. That means remote code (GitHub repo and npm packages) will be fetched and executed by the user. The scripts themselves do not download arbitrary binaries or use obscure URLs; they rely on widely used hosts (github.com, npm via npx).
Credentials
The skill does not request credentials or secrets and only needs workspace/state paths (OPENCLAW_STATE_DIR, OPENCLAW_WORKSPACE_DIR). Those are proportional to its purpose. The registry metadata not listing them is a minor metadata omission but not a dangerous behavior. No unrelated environment variables or config paths are accessed.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not attempt to modify other skills' configuration or system-wide settings beyond recommending/using systemd --user units; the systemd unit templates are optional and run as the user. The quarantine move is limited to ~/.openclaw/skills/* and is performed only on High/Critical findings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-scanner-guard - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-scanner-guard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Added env declarations and confirmed references directory inclusion.
v1.0.1
Fixed binary declarations and renamed internally to openclaw-skill-scanner.
v1.0.0
Security hardening pass.
v0.1.1
Add MIT license field; align local skill folder name + internal paths with published slug skill-scanner-guard.
v0.1.0
Initial release: scan OpenClaw skills with cisco-ai-defense/skill-scanner; block High/Critical; allow Medium+warn; auto-scan + quarantine on ~/.openclaw/skills changes via systemd user path unit; wrappers for folder installs and ClawHub installs.
元数据
常见问题
Openclaw Skill Scanner 是什么?
Security gate for OpenClaw AgentSkills. Scans folder/ClawHub skills with cisco-ai-defense/skill-scanner before installation. Supports manual scans, staged in... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1013 次。
如何安装 Openclaw Skill Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-scanner-guard」即可一键安装,无需额外配置。
Openclaw Skill Scanner 是免费的吗?
是的,Openclaw Skill Scanner 完全免费(开源免费),可自由下载、安装和使用。
Openclaw Skill Scanner 支持哪些平台?
Openclaw Skill Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Openclaw Skill Scanner?
由 Jason O'Neal(@jason-allen-oneal)开发并维护,当前版本 v1.0.2。
推荐 Skills