← 返回 Skills 市场
Snyk Agent Scan Compliance
作者
Samuel Berthe
· GitHub ↗
· v1.0.0
· MIT-0
98
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install snyk-agent-scan-compliance
功能描述
Compliance expert for snyk-agent-scan — the agent skill file scanner — NOT for other Snyk CLI tools (snyk test, snyk code SAST, snyk iac, snyk container). Fi...
安全使用建议
This skill appears to do what it says (help authors fix snyk-agent-scan alerts) and installs the snyk-agent-scan CLI, but there is an important inconsistency: the runtime examples require a SNYK_TOKEN secret yet the skill metadata declares no required env vars or primary credential. Before installing, confirm you trust the source of the snyk-agent-scan uv package and ask the publisher to (a) declare the SNYK_TOKEN in the manifest so you can review its scope, or (b) update docs to explain the token's required permissions and how it will be used. Treat the SNYK_TOKEN as sensitive — only provide it via CI secrets or a limited-scope token in a sandboxed environment. Finally, because this is an instruction-only skill (no code files), the SKILL.md is the full runtime surface: review the prose for any additional commands you would not want executed by an autonomous agent and test the skill in an isolated environment first.
功能分析
Type: OpenClaw Skill
Name: snyk-agent-scan-compliance
Version: 1.0.0
The skill bundle is a compliance assistant designed to help developers fix alerts generated by the 'snyk-agent-scan' tool. It provides detailed instructions and reference patterns (W001, W011, W012) for restructuring OpenClaw skills to pass security heuristics, such as moving installation commands to frontmatter and using version pinning. The content promotes security best practices within the OpenClaw ecosystem and contains no evidence of malicious intent, data exfiltration, or unauthorized execution logic.
能力评估
Purpose & Capability
The skill's stated purpose (helping authors remediate snyk-agent-scan alerts) aligns with the install of the snyk-agent-scan tool (uv package). Requiring the snyk-agent-scan binary is coherent. However, the SKILL.md explicitly shows running the scanner with SNYK_TOKEN=<token> (and recommends storing it as a CI secret), yet the skill metadata lists no required environment variables or primary credential. That omission is inconsistent and unexplained.
Instruction Scope
The SKILL.md instructs running snyk-agent-scan (examples: `SNYK_TOKEN=<token> snyk-agent-scan --skills ...`) and tells users to store SNYK_TOKEN as a CI secret. Because there are no code files, the prose is the runtime surface — and it explicitly requires a secret but the manifest doesn't declare it. Otherwise the instructions stay within the stated domain (rewriting skill bodies to avoid W001/W011/W012), and they do not instruct reading unrelated local files or exfiltrating arbitrary data.
Install Mechanism
Install uses a uv package entry for snyk-agent-scan (kind: uv, package: snyk-agent-scan) which is proportionate to the tool's purpose. UV installs are a network fetch of a package; that's expected for a CLI helper. No arbitrary direct-download or extract-from-untrusted-URL patterns are present in the install spec.
Credentials
The SKILL.md clearly requires a SNYK_TOKEN to run the scanner and gives examples using it, but the skill's declared requirements list no environment variables or primary credential. A scanner token is a sensitive secret; the skill should declare it (primaryEnv or requires.env) and justify scope. As written, there is a mismatch between declared and actual secret needs.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system settings. Allowed-tools are broad but consistent with an authoring/compliance helper. There is no evidence the skill requests permanent elevated presence.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install snyk-agent-scan-compliance - 安装完成后,直接呼叫该 Skill 的名称或使用
/snyk-agent-scan-compliance触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of skill-authoring compliance guidance for snyk-agent-scan.
- Provides comprehensive reference and best practices for resolving W011 (third-party content), W012 (malicious URLs), and W001 (prompt injection) alerts.
- Clarifies scope: applies to skill authoring and editing, not code/infrastructure findings.
- Details passive rewriting strategies; never suppress or delete information.
- Includes remediation order, typical false positive conditions, and pre-authoring checklist to minimize scan failures.
- Usage and installation guidance specific to `snyk-agent-scan`, including how to triage scans in local and CI environments.
元数据
常见问题
Snyk Agent Scan Compliance 是什么?
Compliance expert for snyk-agent-scan — the agent skill file scanner — NOT for other Snyk CLI tools (snyk test, snyk code SAST, snyk iac, snyk container). Fi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 98 次。
如何安装 Snyk Agent Scan Compliance?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install snyk-agent-scan-compliance」即可一键安装,无需额外配置。
Snyk Agent Scan Compliance 是免费的吗?
是的,Snyk Agent Scan Compliance 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Snyk Agent Scan Compliance 支持哪些平台?
Snyk Agent Scan Compliance 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Snyk Agent Scan Compliance?
由 Samuel Berthe(@samber)开发并维护,当前版本 v1.0.0。
推荐 Skills