← 返回 Skills 市场
248
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-sec-scan-en
功能描述
自动检测 JavaScript、TypeScript、Python 和 Shell 文件中的数据外泄、注入、代码混淆与木马后门等安全风险并生成详细报告。
安全使用建议
This skill appears internally consistent with its stated purpose (a static security scanner). Before running it: (1) review scripts/scan.sh and scan-all.sh to confirm how they handle remote URLs (cloning/downloading) and whether they execute any network commands; (2) run the scanner in a sandboxed environment or VM and avoid running it as root; (3) if you intend to scan your installed skills, consider copying the skills directory to a safe location first; (4) be aware the scanner uses regex-based detection so expect false positives/negatives—manually inspect any reported findings; (5) the skill will create/read whitelist.txt in its own directory and will execute its scripts locally (via child_process.execSync), which is normal but means it has the ability to perform side-effecting actions permitted by your account. If you are unsure about allowing shell/script execution or network access, inspect the shell scripts line-by-line or run them in an isolated container before using them with real repositories or sensitive directories.
功能分析
Type: OpenClaw Skill
Name: skill-sec-scan-en
Version: 1.0.0
The skill is a security scanner designed to perform static analysis on other OpenClaw skills. While its stated purpose is defensive, it contains a critical Shell Injection vulnerability in `index.js`, where user-supplied arguments are passed unsanitized to `child_process.execSync`. Additionally, `scripts/scan.sh` performs network requests to an external endpoint (`wry-manatee-359.convex.site`) to download and unzip remote content, which is a high-risk behavior for a security tool. These flaws allow for potential arbitrary command execution if a user provides a crafted skill name or URL.
能力评估
Purpose & Capability
The name/description (security scanner for JS/TS/Python/Shell) matches the provided artifacts: a CLI wrapper (index.js), a Node scanner (node/scanner.js) implementing regex rules, and shell scripts (scripts/scan.sh, scan-all.sh). No unrelated environment variables, binaries, or cloud credentials are requested.
Instruction Scope
SKILL.md explicitly instructs the agent to run local scripts (./scripts/scan.sh, ./scripts/scan-all.sh) against local skill directories and remote URLs. That behavior is coherent for a scanner, but it means the skill will read arbitrary skill directories (e.g., ~/.openclaw/workspace/skills) and may fetch/inspect remote repos. The instructions give the agent permission to execute the included shell scripts (and the code does so via execSync), so the runtime has the ability to perform filesystem and network operations consistent with a scanner.
Install Mechanism
No install spec is declared (instruction-only at registry level), and the bundle includes local scripts and Node code that will be executed in-place. There are no downloads from untrusted URLs during an install step. This is appropriate for a script-based scanner, but note the skill executes those local scripts when invoked.
Credentials
The skill declares no required environment variables or credentials. The scanner's detection rules look for occurrences of cloud-related env vars inside target code (e.g., process.env.AWS_), which is expected for a security scanner and does not imply the skill needs those secrets itself.
Persistence & Privilege
always:false (normal). The skill does not request permanent system-wide presence and does not modify other skills' configurations in the provided files. It will create/read a local whitelist file inside its package and read user skill directories when run; autonomous invocation is allowed by default (normal) but not forced.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-sec-scan-en - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-sec-scan-en触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Skill Security Scanner v1.0.0 — Initial Release
- Introduces an enterprise-grade skill security scanner supporting JavaScript, TypeScript, Python, and Shell file types.
- Detects four major threat categories: data exfiltration, injection attacks, code obfuscation, and trojans/backdoors.
- Implements 57 detailed detection rules, covering 60+ dangerous operation patterns.
- Features an intelligence-driven static analysis engine with quantitative scoring (0–100) and clear risk levels.
- Supports remote (ClawHub/GitHub) and local scanning, batch operations, detailed risk reports, and user-defined whitelists.
- Provides standard report templates, natural language triggers, and full documentation for usage and result interpretation.
元数据
常见问题
Skill Security Scanner 是什么?
自动检测 JavaScript、TypeScript、Python 和 Shell 文件中的数据外泄、注入、代码混淆与木马后门等安全风险并生成详细报告。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 248 次。
如何安装 Skill Security Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-sec-scan-en」即可一键安装,无需额外配置。
Skill Security Scanner 是免费的吗?
是的,Skill Security Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Security Scanner 支持哪些平台?
Skill Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Security Scanner?
由 moer(@torchesfrms)开发并维护,当前版本 v1.0.0。
推荐 Skills