← 返回 Skills 市场
Skill Security Scanner
作者
utopiabenben
· GitHub ↗
· v0.1.0
· MIT-0
104
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-secure-checker
功能描述
Automatically scans Python skill code to detect security risks like malicious patterns, hardcoded secrets, dangerous functions, and integrates VirusTotal sca...
安全使用建议
This package appears to implement what it advertises: a local Python static scanner with an optional VirusTotal step. Before installing or running it: 1) Inspect install.sh (it symlinks source/cli.py into ~/.local/bin — make sure that path is acceptable and that you know where the repo will live). 2) Review the implementation of _scan_with_virustotal (truncated in the provided files) if you plan to enable VirusTotal to confirm it only calls VirusTotal and handles the API key safely. 3) Run the tool against a test directory first (not production code) to see outputs and confirm it doesn’t contact unexpected endpoints. 4) Be aware the scanner will read all files under the supplied skill_path (it also scans some non-Python text files and config files), so point it only at directories you intend to scan. 5) Because the registry metadata omitted an install spec while the package contains an installer, prefer manual inspection and manual installation into a controlled location (or use a virtual environment) rather than blindly running the install script.
功能分析
Type: OpenClaw Skill
Name: skill-secure-checker
Version: 0.1.0
The skill is a legitimate security scanning tool designed for static analysis of Python code and configuration files. It identifies dangerous functions (e.g., eval, exec, os.system), hardcoded secrets (API keys, tokens), and insecure communication patterns. The implementation in source/scanner.py uses the Python 'ast' module for safe structural analysis and standard regex for secret detection. The installation script (install.sh) and CLI entry point (source/cli.py) follow standard practices for local tools, and no evidence of data exfiltration, malicious execution, or prompt injection was found.
能力评估
Purpose & Capability
Name/description, CLI, scanner implementation, and tests all align: this is a Python static analyzer that optionally queries VirusTotal. The declared runtime requirements (no mandatory env vars) are consistent. Minor inconsistency: registry metadata says 'No install spec / instruction-only', but the package includes an install.sh and a skill.json with an install script — so the package is not purely instruction-only as the registry entry implies.
Instruction Scope
SKILL.md and CLI direct the tool to read files under the user-supplied skill_path, generate JSON/HTML, and optionally call VirusTotal when a key is provided. The scanner code shows AST-based checks, regex checks, config and text file scanning, and limits (text files limited to 10, VT scans limited to first 5 files). It does not attempt to read unrelated system configs or environment variables beyond the optional VT key and does not transmit data anywhere else in the visible code. Recommend reviewing the truncated _scan_with_virustotal implementation to confirm only VirusTotal is contacted and no other endpoints are used.
Install Mechanism
No formal install spec in registry, but the repo contains install.sh that creates a symlink in ${HOME}/.local/bin to source/cli.py and sets execute bits. This is simple but fragile: the symlink points into the repo directory (so moving/cleaning the repo can break the CLI). No external downloads or network installers are used. Review install.sh before running; it does not perform privileged actions.
Credentials
The only optional credential is a VirusTotal API key (virustotal_api_key / VT_API_KEY), which is appropriate for the optional VirusTotal integration. The skill does not request unrelated credentials or system secrets in its metadata. The scanner itself looks for hardcoded secrets in scanned code (sk-, ghp_, JWT patterns) which is expected behavior for this tool.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. The installer creates a user-level symlink in ~/.local/bin only. The tool writes HTML reports into the scanned skill_path when asked, which is expected; it does not modify other skills' configs or global agent settings in the visible code.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-secure-checker - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-secure-checker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
skill-secure-checker v0.1.0
- Initial release supporting static code analysis for Python skills.
- Detects hardcoded secrets, dangerous functions, and risky code patterns.
- Integrates VirusTotal API for optional file reputation checks.
- Outputs machine-readable JSON and user-friendly HTML security reports.
- Risk scoring with configurable severity thresholds.
- Zero external Python dependencies; works standalone.
元数据
常见问题
Skill Security Scanner 是什么?
Automatically scans Python skill code to detect security risks like malicious patterns, hardcoded secrets, dangerous functions, and integrates VirusTotal sca... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 104 次。
如何安装 Skill Security Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-secure-checker」即可一键安装,无需额外配置。
Skill Security Scanner 是免费的吗?
是的,Skill Security Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Security Scanner 支持哪些平台?
Skill Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Security Scanner?
由 utopiabenben(@utopiabenben)开发并维护,当前版本 v0.1.0。
推荐 Skills