← 返回 Skills 市场
suryast

Skill Security Scanner

作者 suryast · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
829
总下载
1
收藏
4
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-security
功能描述
Security audit tool for OpenClaw skills. Scans for credential harvesting, code injection, network exfiltration, obfuscation. ALWAYS run before installing any...
安全使用建议
This looks like a coherent local security auditor. Before running it: (1) review the shipped scripts yourself (they will execute locally and read files you point them at); (2) be aware the scanner uses broad regexes and can produce false positives—manually inspect any HIGH/CRITICAL matches; (3) confirm blocklist.txt and allowlist.txt are stored where you expect (they are in the skill directory) before trusting automatic writes; (4) note the SKILL.md advertises paid 'premium' links — unrelated to the audit functionality; (5) if you plan to run this automatically in agents, treat it like any third-party tool: run it in a trusted environment and consider code review or running in a sandbox first.
功能分析
Type: OpenClaw Skill Name: skill-security Version: 1.0.1 The OpenClaw AgentSkills skill bundle is designed as a security audit tool, and its core functionality in `audit.sh` appears benign and aligned with its stated purpose. However, the `preinstall-check.sh` script contains a regex injection vulnerability: when checking `blocklist.txt` and `allowlist.txt`, it uses the `SKILL_NAME` directly as a regex pattern in `grep`. A malicious skill could be named with regex metacharacters (e.g., `.` or `*`) to potentially bypass existing blocklist entries or trick the allowlist mechanism, leading to an unintended security bypass. This is a vulnerability in the security tool itself, not evidence of intentional malicious behavior by this skill.
能力评估
Purpose & Capability
The SKILL.md and included shell scripts implement a static, pattern-based scanner for skills (network calls, credential file access, dynamic execution, base64, env access). The files present (audit.sh, audit-all.sh, preinstall-check.sh, allowlist/blocklist) are exactly what a simple local auditor would need; no unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
Instructions are focused on running local audits and integrating a pre-install check. The auditor scans arbitrary skill directories (as intended) and prints matching lines; it does not send data externally. Note: the regexes are broad and will produce false positives (and may match comments or benign code). Also review the scripts before running, since they will read files you point them at and print matching lines (which could include secrets).
Install Mechanism
No install spec is provided (instruction-only with shipped scripts). That is low-risk from an install-network perspective. The provided scripts will be executed locally by the user/agent; they write to local blocklist/allowlist files in the skill directory, which is reasonable for a scanner.
Credentials
The skill requests no environment variables or credentials. The scripts use common environment values (HOME, provided skill path) only. There are no declared or hidden credential requirements.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills' configs or system-wide agent settings. It does persist its own allowlist/blocklist files in its directory, which matches its purpose.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install skill-security
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /skill-security 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Add premium skills promo links
v1.0.0
Initial release — audit skills for credential harvesting, injection, exfiltration
元数据
Slug skill-security
版本 1.0.1
许可证
累计安装 6
当前安装数 4
历史版本数 2
常见问题

Skill Security Scanner 是什么?

Security audit tool for OpenClaw skills. Scans for credential harvesting, code injection, network exfiltration, obfuscation. ALWAYS run before installing any... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 829 次。

如何安装 Skill Security Scanner?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-security」即可一键安装,无需额外配置。

Skill Security Scanner 是免费的吗?

是的,Skill Security Scanner 完全免费(开源免费),可自由下载、安装和使用。

Skill Security Scanner 支持哪些平台?

Skill Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Skill Security Scanner?

由 suryast(@suryast)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论