← 返回 Skills 市场
Security embedded Dev
作者
kamalsrini
· GitHub ↗
· v1.0.0
· MIT-0
160
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install supply-chain-enterprise-security-skill
功能描述
Reviews AI/ML model supply chains for security risks including model provenance verification, training data lineage, fine-tuning pipeline integrity, inferenc...
安全使用建议
This skill is a defensive, instruction-only checklist for reviewing ML model supply chains and is internally consistent. Before using it: (1) confirm you have authorization to review any target systems and artifacts; (2) be aware the agent will need read access to repo files, CI configs, or model documentation to produce a useful report — it will not and should not request cloud credentials itself; (3) expect gaps where the skill recommends checking cloud IAM or signed provenance unless you explicitly provide access via your normal, secure workflows; (4) note the minor name mismatch (registry name vs SKILL.md name) and verify you intended to install this particular skill; (5) do not grant broad secrets or make the agent execute downloaded model code — the skill already warns against execution.
功能分析
Type: OpenClaw Skill
Name: supply-chain-enterprise-security-skill
Version: 1.0.0
The skill bundle is a legitimate security assessment tool designed to guide an AI agent through a review of AI/ML model supply chains. It provides structured methodology and search patterns (using Grep and Glob) to identify common vulnerabilities like unsafe deserialization (pickle), unverified model provenance, and insecure training pipelines. The SKILL.md file includes explicit safety instructions to prevent the agent from executing untrusted code or falling victim to prompt injection during its analysis.
能力评估
Purpose & Capability
The SKILL.md describes a model supply-chain security assessor and the allowed-tools (Read, Grep, Glob) and lack of required env vars/install match that purpose. Minor inconsistency: the registry skill name is "Security embedded Dev" while the SKILL.md identifies itself as "model-supply-chain" — a naming mismatch but not a functional problem.
Instruction Scope
Instructions stay within defensive review scope: they tell the agent to read code/configs, check provenance, and explicitly forbid executing code or following embedded instructions. They limit tool use to Read/Grep/Glob. Note: some recommended checks (cloud IAM, SLSA artifacts, Sigstore proofs) may require out-of-band access or credentials not provided by the skill; the skill correctly does not request those credentials but will produce gaps if the agent lacks access.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism and consistent with a review guidance document.
Credentials
The skill requests no environment variables, credentials, or config paths. Given its stated purpose, that is proportionate: it guides checks against artifacts rather than requiring direct credentials. If the user wants deeper checks (e.g., cloud IAM), they will need to provide credentials separately and explicitly.
Persistence & Privilege
always is false and the skill does not request persistent privileges or attempt to modify agent/system configuration. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install supply-chain-enterprise-security-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/supply-chain-enterprise-security-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release introducing model supply chain security review skill.
- Enables structured assessment of AI/ML model supply chains, covering model provenance, training data lineage, fine-tuning integrity, inference dependency review, and backdoor detection.
- Aligns assessments with OWASP LLM03:2025, SLSA v1.0, and MITRE ATLAS supply chain frameworks.
- Guides users through context gathering and a step-by-step process to identify risks from unverified models, insecure download methods, and unsafe dependencies.
- Designed for use by security, ML, and appsec engineers during build, review, and operate phases.
- Ensures injection-hardened operation; restricts tool usage to safe, read-only commands.
元数据
常见问题
Security embedded Dev 是什么?
Reviews AI/ML model supply chains for security risks including model provenance verification, training data lineage, fine-tuning pipeline integrity, inferenc... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 160 次。
如何安装 Security embedded Dev?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install supply-chain-enterprise-security-skill」即可一键安装,无需额外配置。
Security embedded Dev 是免费的吗?
是的,Security embedded Dev 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security embedded Dev 支持哪些平台?
Security embedded Dev 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security embedded Dev?
由 kamalsrini(@kamalsrini)开发并维护,当前版本 v1.0.0。
推荐 Skills