← 返回 Skills 市场
Skill-Scanner-Pro
作者
GravityPoet
· GitHub ↗
· v0.1.4
421
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-scanner-pro
功能描述
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data...
安全使用建议
This package appears to be a straightforward local static scanner and UI for auditing Clawdbot/MCP skills. Before installing or running it: 1) Verify the source — confirm the GitHub repository and registry owner match and review the full repo for unexpected network calls or shell execution (the README points to a GitHub repo whose owner differs from the registry owner). 2) Run the scanner on copies of skill folders in an isolated environment (container or VM), not as root, particularly when scanning untrusted skills. 3) Expect false positives (patterns like '.env' or credential path mentions will be flagged) — review findings manually. 4) If you use the Streamlit UI, install streamlit in a controlled environment; the UI writes uploaded files to a temporary directory. 5) If you need higher assurance, review the full, untruncated source for any hidden network access or subprocess execution before trusting it with sensitive directories.
功能分析
Type: OpenClaw Skill
Name: skill-scanner-pro
Version: 0.1.4
This skill is a security audit tool designed to scan other OpenClaw skills for malicious patterns, including data exfiltration, system modification, crypto-mining, and arbitrary code execution. The code (`skill_scanner.py`) implements a comprehensive set of regex patterns to detect these threats in target files. Crucially, it includes logic (`_is_definition_noise`) to prevent it from flagging its own pattern definitions as malicious, demonstrating clear benign intent. The `SKILL.md` and `README.md` provide accurate descriptions and usage instructions without any prompt injection attempts. The `streamlit_ui.py` frontend handles user input safely by writing it to temporary files before scanning, without executing user-provided code. All components align with the stated purpose of a security scanner and exhibit no malicious behavior themselves.
能力评估
Purpose & Capability
Name/description match the delivered artifacts: a Python scanner (skill_scanner.py) and an optional Streamlit UI (streamlit_ui.py) that scan skill folders for threat patterns. No unrelated environment variables, binaries, or system-level credentials are requested. Minor provenance inconsistencies: registry metadata lists version 0.1.4 while _meta.json/README reference 0.1.3, and README suggests cloning a GitHub repo owned by 'bvinci1-design' while the registry owner is different—this is not a direct security issue but reduces confidence in source provenance.
Instruction Scope
SKILL.md and README instruct the agent/user to run the scanner against local skill folders or upload ZIPs/code in the Streamlit UI. The scanner's runtime behavior (reading files under the provided path, skipping ignored directories, and reporting matches) aligns with the stated purpose. It does read file contents from paths you point it at (including SKILL.md, code files, and uploaded archives) — expected for a scanner.
Install Mechanism
No install spec is provided (instruction-only installer) and the scanner claims to use only the Python standard library. The Streamlit UI is optional and requires installing the streamlit package if you want the web interface. There are no remote downloads or archive extraction steps performed by the skill itself; README suggests cloning the GitHub repo (standard practice) but that is an out-of-band action the user performs.
Credentials
The skill does not request any environment variables or credentials. The scanner intentionally scans targets for uses of credential paths and environment access (that is its purpose). Be aware it will read any files you point it at — do not point it at sensitive directories unless you intend it to scan them.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system privileges. The Streamlit UI and CLI use temporary directories for uploaded content; no code in the provided snippets indicates modification of other skills or system settings. Standard caution: run untrusted code (including tools) in isolated environments when possible.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-scanner-pro - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-scanner-pro触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.4
Maintenance release: continue publication without fork metadata; no functional scanner changes.
v0.1.3
Pro enhanced edition: fixed Streamlit UI rendering/export; reduced false positives by fenced-code-only markdown scanning; suppressed self-noise; skip noisy dirs and oversized/binary files.
元数据
常见问题
Skill-Scanner-Pro 是什么?
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 421 次。
如何安装 Skill-Scanner-Pro?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-scanner-pro」即可一键安装,无需额外配置。
Skill-Scanner-Pro 是免费的吗?
是的,Skill-Scanner-Pro 完全免费(开源免费),可自由下载、安装和使用。
Skill-Scanner-Pro 支持哪些平台?
Skill-Scanner-Pro 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill-Scanner-Pro?
由 GravityPoet(@gravitypoet)开发并维护,当前版本 v0.1.4。
推荐 Skills