← 返回 Skills 市场
214
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skills-security-scanner
功能描述
审计和扫描技能的安全性。在启用新技能前使用此工具验证其安全性,确保符合安全策略。
安全使用建议
This skill will ZIP and upload entire skill directories to a scan API and requires access keys (AK/SK) supplied by scripts/config.json or environment variables—yet the registry lists no required credentials and the README implies a local service. Before installing: (1) ask the author which endpoint will receive the uploads and request that endpoint be explicit (local vs cloud) and documented; (2) do not provide real cloud credentials—use a throwaway/test account if you must trial it; (3) inspect scripts/config.json and the full script to confirm upload_url and signing behavior; (4) if you must run it, run in a sandbox or isolated environment and test with non-sensitive sample skills first; (5) consider asking the maintainer to declare required env vars in metadata and to add an explicit opt-in step that shows the upload destination before transmitting code.
功能分析
Type: OpenClaw Skill
Name: skills-security-scanner
Version: 1.0.0
The skill is a security scanner that functions by zipping local directories and uploading them to a remote API (defaulting to volcengineapi.com) for analysis. While this aligns with its stated purpose in SKILL.md, the script (scripts/scan.py) lacks path sanitization or restricted scopes, creating a high-risk primitive where an agent could be directed to exfiltrate sensitive system directories (e.g., ~/.ssh or /etc) under the guise of a 'security scan.' The use of external cloud APIs for processing local code constitutes a significant data exfiltration risk if not strictly controlled.
能力评估
Purpose & Capability
The description says this audits/scans skills (and the SKILL.md repeatedly mentions a local analysis service), which is plausible. However, the script imports a Volcengine SDK and builds requests to open.volcengineapi.com (and signs requests with AK/SK). The registry declares no required credentials or secrets even though the script requires access keys or a config.json with credentials to upload. Asking for cloud credentials is not aligned with the 'local' wording and the metadata.
Instruction Scope
SKILL.md instructs the agent to run scripts/scan.py with absolute paths and to ensure scripts/config.json exists (or use env vars). The script will zip and upload the entire target skill directory (or archive) to a scan endpoint. That means arbitrary skill source code and files are transmitted. SKILL.md frames this as a local service, but the code defaults to a remote cloud API—so the instructions understate where data may go.
Install Mechanism
This is an instruction-only skill with a provided Python script (no install spec). The script imports third-party packages (requests and a volcengine SDK) that are not declared; there is no install step to ensure dependencies are present. Lack of an install spec is low-install risk but means execution may fail or behave unexpectedly if required libs are missing.
Credentials
No required environment variables or primary credential are declared in the registry, yet the script expects access key/secret (AK/SK) via scripts/config.json or environment variables and uses SignerV4 to sign upload requests. Requesting cloud credentials to upload arbitrary code is high-sensitivity and is not justified or declared by the skill metadata or description.
Persistence & Privilege
The skill is not always:true and does not request persistent system-level access. It can be invoked autonomously (the platform default), which combined with the credential/upload behavior increases risk, but the skill itself does not claim elevated persistence privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skills-security-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/skills-security-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of skills-security-scanner:
- Provides a tool for auditing and scanning the security of other skills before enabling them.
- Scans skills by analyzing the SKILL.md file and related code via a local analysis service.
- Includes a script (`scripts/scan.py`) for scanning, requiring absolute paths.
- Outputs results as a JSON array for further processing and user-friendly reporting.
- Specifies a standardized scan report format in Chinese, highlighting high and medium security risks.
元数据
常见问题
skills-security-scanner 是什么?
审计和扫描技能的安全性。在启用新技能前使用此工具验证其安全性,确保符合安全策略。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 214 次。
如何安装 skills-security-scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skills-security-scanner」即可一键安装,无需额外配置。
skills-security-scanner 是免费的吗?
是的,skills-security-scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
skills-security-scanner 支持哪些平台?
skills-security-scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 skills-security-scanner?
由 qihuang(@qihuang0)开发并维护,当前版本 v1.0.0。
推荐 Skills