← 返回 Skills 市场
Skill Vetting Tianjin
作者
tianjin-ren
· GitHub ↗
· v1.1.1
· MIT-0
253
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install skill-vetting-tianjin
功能描述
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing w...
安全使用建议
This skill appears to implement a local scanner and guidance for vetting other skills, but do not install or run it blindly. Before using it: (1) Verify the missing/mentioned files (e.g., mediate.py) or confirm the author intentionally omitted them; (2) Inspect scripts/scan.py locally to confirm it performs only local regex scanning (no network calls, no eval/exec, no subprocess.shell=True); (3) Be aware SKILL.md contains prompt-injection examples that will trip pattern detectors — treat those as test data, not operational instructions; (4) Check the metadata mismatch (ownerId/version) and confirm author identity; (5) Run the scanner in an isolated environment (container or VM) and manually review any CRITICAL findings before taking automated actions. If you need automated deployment, ensure your pipeline distinguishes 'example text' from live code to avoid false auto-rejects.
功能分析
Type: OpenClaw Skill
Name: skill-vetting-tianjin
Version: 1.1.1
The skill is a security utility designed to help AI agents vet other ClawHub skills for malicious patterns and utility. It includes a Python-based regex scanner (scripts/scan.py) that identifies dangerous functions (eval, exec, shell=True), obfuscation, and social engineering attempts. While SKILL.md contains instructions regarding prompt injection, these are defensive guidelines intended to harden the agent's review process rather than malicious overrides. The logic is transparent and aligned with its stated purpose.
能力评估
Purpose & Capability
The skill claims to be a vetting tool and includes a scanner (scripts/scan.py) and extensive documentation — that's coherent. However the ARCHITECTURE.md describes a 'mediate.py' mediator and a v2.0 workflow that are referenced but not included in the bundle; _meta.json version/ownerId differs from registry metadata; SKILL.md commands assume a specific install location (~/.openclaw/workspace/skills/skill-vetting) which may not match how the skill is installed. These mismatches suggest sloppy packaging or incomplete implementation and should be resolved before trusting automated workflows.
Instruction Scope
Runtime instructions are narrowly scoped to downloading a skill ZIP into /tmp, running the included scanner, and performing manual review — appropriate for a vetting tool. The SKILL.md also deliberately contains examples of prompt-injection text and regexes to detect them; that defensive content will trigger pattern detectors (and indeed a pre-scan found such a pattern). This is expected for a vetting tool but could cause naive automation to auto-reject or behave oddly if not handled carefully.
Install Mechanism
There is no install spec (instruction-only style) and the scanner runs locally. No remote downloads or extracted archives are performed by the skill itself. This is low-risk compared to skills that fetch arbitrary code at install time.
Credentials
The skill declares no required env vars, credentials, or config paths. The included scanner operates on local files and contains no code that requests remote credentials. No overbroad environment access is requested.
Persistence & Privilege
always:false and no privileged persistence or modifications to other skills are requested. The skill does not claim to run persistently or alter system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-vetting-tianjin - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-vetting-tianjin触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.1
- No functional changes; documentation only.
- SKILL.md content remains unchanged.
- Version bumped to 1.1.1 for consistency.
v1.1.0
- Major documentation update: Added a comprehensive SKILL.md with detailed security vetting workflow, prompt injection guidance, manual review steps, and scanner limitations.
- Clearly defines rules for handling prompt injection and in-file manipulation attempts.
- Provides explicit red flags and a decision matrix for skill approval/rejection.
- Includes quick command-line recipes for safe skill inspection.
- Lists known scanner bypass patterns and manual review heuristics to increase overall skill security.
元数据
常见问题
Skill Vetting Tianjin 是什么?
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing w... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 253 次。
如何安装 Skill Vetting Tianjin?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-vetting-tianjin」即可一键安装,无需额外配置。
Skill Vetting Tianjin 是免费的吗?
是的,Skill Vetting Tianjin 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Vetting Tianjin 支持哪些平台?
Skill Vetting Tianjin 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Vetting Tianjin?
由 tianjin-ren(@tianjin-ren)开发并维护,当前版本 v1.1.1。
推荐 Skills