← 返回 Skills 市场
sx-security-audit
作者
zhuxiaobao-y
· GitHub ↗
· v1.0.0
· MIT-0
343
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install sx-security-audit
功能描述
全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。
安全使用建议
This tool is coherent for security auditing but is powerful: it will scan your home directory, workspace, shell histories, environment variables, and Git history and may include discovered secrets in its report. Before running: (1) review the scripts locally to confirm you trust them (they are included in the package); (2) run audits in a controlled environment (or container) if you are concerned about accidental data exposure; (3) do not use the send-to-Feishu options unless you trust the target webhook or the OpenClaw plugin API endpoint (inspect ~/.openclaw/openclaw.json for configured apiEndpoint); (4) expect some checks (npm audit, lsof) to require additional tools or elevated privileges—run with least privilege necessary and review generated report content before broadcasting.
功能分析
Type: OpenClaw Skill
Name: sx-security-audit
Version: 1.0.0
The SX-security-audit skill bundle is a legitimate security auditing tool designed to identify system misconfigurations, hardcoded secrets, and dependency vulnerabilities. The core logic in `scripts/security_audit.py` performs various checks including file permissions (e.g., `~/.ssh`), environment variable scanning, and Git history analysis for leaked credentials using regex and Shannon entropy. While the tool accesses sensitive data, its behavior is transparent and strictly aligned with its stated purpose. The reporting script `scripts/send_report_to_feishu.py` allows users to send audit summaries to their own Feishu webhooks or plugins, and no evidence of hardcoded malicious endpoints, unauthorized exfiltration, or persistence mechanisms was found.
能力评估
Purpose & Capability
The name/description (security audit) matches the included scripts and reference docs. The checks (permissions, secrets, deps, git, ports, macOS checks, etc.) are implemented in the provided Python code and the references. Access to ~/.openclaw, workspace, home, and repo files is expected for this purpose.
Instruction Scope
Runtime instructions and scripts explicitly scan many sensitive locations (home directory, ~/.ssh, ~/.aws, shell history, environment variables, Git diffs, workspace recursive scans) which is normal for an audit tool but high-sensitivity. The skill also supports sending generated reports to Feishu (webhook or OpenClaw plugin API). Users should expect audit output may contain secrets discovered during scans.
Install Mechanism
No install spec is provided (instruction-only plus included scripts), so nothing external is downloaded by the registry. The scripts call external tooling (e.g., npm audit, lsof) as documented; that is proportional to the stated checks but may require those tools to be present.
Credentials
The skill declares no required environment variables, but the send-to-Feishu flow can use a FEISHU_WEBHOOK_URL or the OpenClaw plugin configuration (from ~/.openclaw/openclaw.json). The audit will scan current environment variables for sensitive patterns (expected for a secrets audit). No unrelated third-party credentials are requested in metadata.
Persistence & Privilege
always:false and no evidence of the skill trying to persist itself or modify other skills. It reads user config (~/.openclaw/openclaw.json) to find optional Feishu plugin settings but does not appear to alter other skill configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sx-security-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/sx-security-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of SX-security-audit – a comprehensive security auditing skill.
- Provides modular checks including file permissions, secrets, dependencies, environment variables, Git, network ports, shell, and macOS security.
- Detects known key formats and uses entropy analysis for enhanced secret detection.
- Supports CLI options for module selection, output format (JSON, Markdown), severity filtering, and silent mode.
- Allows behavior customization via `.security-audit.json` config files with path exclusions and severity thresholds.
- Generates detailed, prioritized security audit reports and supports report delivery to Feishu in multiple message formats.
- Includes guidance for both automated and manual report sending.
元数据
常见问题
sx-security-audit 是什么?
全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 343 次。
如何安装 sx-security-audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sx-security-audit」即可一键安装,无需额外配置。
sx-security-audit 是免费的吗?
是的,sx-security-audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
sx-security-audit 支持哪些平台?
sx-security-audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 sx-security-audit?
由 zhuxiaobao-y(@zhuxiaobao-y)开发并维护,当前版本 v1.0.0。
推荐 Skills