← 返回 Skills 市场
teehooai

SpiderShield Security Scanner

作者 teehooai · GitHub ↗ · v0.3.0 · MIT-0
cross-platform ⚠ suspicious
219
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install spidershield
功能描述
Security scanning and trust scoring for OpenClaw skills with commands for trust lookup, malware detection, config audit and auto-fix, rug pull detection, and...
安全使用建议
This skill is a set of bash wrappers that call an external Python package (spidershield) or the SpiderRating API. The main risk is the external pip package: when you run 'pip install spidershield' the package's code will execute locally with your user privileges and could contact remote servers or modify files (including ~/.openclaw/). Before installing or running the local scan/fix/pin commands, do one or more of the following: 1) Inspect the spidershield package source at the referenced GitHub repo (https://github.com/teehooai/spidershield) or PyPI package code to verify it only does what you expect; 2) Prefer using the read-only /spidershield check command which only sends an author/skill slug to api.spiderrating.com (as documented) instead of installing the CLI; 3) Run 'pip install' in an isolated environment (virtualenv or throwaway container) and review the installed package before allowing it to access your real ~/.openclaw/; 4) If you need to run 'fix', use --dry-run first and back up ~/.openclaw/ before accepting changes; 5) Consider verifying the pip package's integrity (signed release, pinned version, or checksum) and the maintainers' reputation. If you cannot audit the spidershield package, treat installing and running the local commands as higher risk.
功能分析
Type: OpenClaw Skill Name: spidershield Version: 0.3.0 The SpiderShield skill performs high-risk operations including shell execution and read/write access to the user's '~/.openclaw/' configuration directory. While these actions are aligned with its stated purpose of auditing and 'fixing' security settings, the skill relies heavily on an external third-party Python package ('spidershield') and communicates with an external API (api.spiderrating.com) in 'scripts/check.sh'. The broad permissions and the potential for a supply-chain attack via the pip dependency make this bundle high-risk despite its helpful appearance.
能力评估
Purpose & Capability
Name, description, commands, and declared permissions match a security scanner that audits OpenClaw config, pins content hashes, and queries a trust API. The scripts only call a 'spidershield' CLI / module (or curl to api.spiderrating.com for /check), and they read/write ~/.openclaw and ~/.spidershield as expected for audit/fix/pin operations. This is proportionate to the stated purpose.
Instruction Scope
The SKILL.md and bundled scripts are wrappers that delegate real work to an external 'spidershield' Python package (spidershield CLI or python3 -m spidershield). The wrappers access local config paths (~/.openclaw, ~/.spidershield) and will prompt before writing for fixes, which matches intent. However the SKILL.md asserts the local commands run "entirely locally"; that is only true if the external spidershield package behaves; the wrappers themselves make no effort to constrain network access or inspect what the installed package will do. Because the skill will execute third-party code on the user's machine, this is a scope risk (possible exfiltration, remote network calls, or arbitrary changes executed by the installed package).
Install Mechanism
There is no packaged install spec in the registry bundle — users are told to run 'pip install spidershield'. Installing and executing a PyPI package is the primary install path. That is a supply-chain risk: the package could contain arbitrary code, run with the user's privileges, and perform network I/O or modify files. The skill points to a GitHub repo (https://github.com/teehooai/spidershield) which helps review, but the registry does not vendor or pin the package or verify its origin. This elevates risk compared with an instruction-only wrapper that uses only built-in tools.
Credentials
The skill does not request environment variables or credentials in the manifest. It legitimately reads and may write OpenClaw config (~/.openclaw/) and stores pins under ~/.spidershield/, which aligns with its features. The proportionality concern is indirect: the external spidershield package (not included) could request credentials or read other files — the wrapper gives it that opportunity by invoking it.
Persistence & Privilege
The skill is not 'always:true' and does not request unusual system-wide privileges. It will create/use ~/.spidershield/ for pin data and may modify ~/.openclaw/ during 'fix' (with an explicit user confirmation prompt in the script). Autonomous invocation is allowed by default (disable-model-invocation: false) — combined with the install-time execution of an external package, that increases blast radius but is not itself proof of malicious intent.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install spidershield
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /spidershield 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.0
v0.3.0: API endpoint upgraded to api.spiderrating.com. Fixed packaging consistency issues.
v0.2.1
Fix packaging issues flagged by OpenClaw security scan: - Scripts now call spidershield CLI (open-source) instead of spiderrating - Manifest shell declaration corrected to true (matches .sh scripts) - Removed undeclared SPIDERRATING_API_BASE environment variable
v0.2.0
SpiderShield 0.2.0 expands security scanning and trust scoring for OpenClaw skills. - Adds 6 comprehensive commands: trust lookup, malware scan, config audit, auto-fix, rug pull detection (pin), and bulk scan. - Integrates with SpiderRating Trust API for instant public trust score lookups (4,000+ pre-scanned skills, 93%+ accuracy). - Local scanner covers malware detection (24 rules), configuration auditing (10 checks), and automatic fixes. - Skill pinning feature detects rug pull/supply chain attacks by content hash verification. - All local scanning and fixing runs fully on your machine for privacy. - Simple setup: `/spidershield check` works out of the box; full scanner via `pip install spidershield`.
元数据
Slug spidershield
版本 0.3.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

SpiderShield Security Scanner 是什么?

Security scanning and trust scoring for OpenClaw skills with commands for trust lookup, malware detection, config audit and auto-fix, rug pull detection, and... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 219 次。

如何安装 SpiderShield Security Scanner?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install spidershield」即可一键安装,无需额外配置。

SpiderShield Security Scanner 是免费的吗?

是的,SpiderShield Security Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

SpiderShield Security Scanner 支持哪些平台?

SpiderShield Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 SpiderShield Security Scanner?

由 teehooai(@teehooai)开发并维护,当前版本 v0.3.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论