← 返回 Skills 市场

Yidun Skill Sec

Name: Yidun Skill Sec
Author: yd-dev

作者 Yidun · GitHub ↗ · v1.0.1 · MIT-0

linuxdarwinwin32 ⚠ suspicious

537

总下载

当前安装

版本数

在 OpenClaw 中安装

/install yidun-skill-sec

功能描述

Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intell...

安全使用建议

This skill appears to do what it says (a hybrid local-cloud scanner) and only needs curl/jq/openssl. The main risk is data you may not expect it to send: the SKILL.md says it uploads redacted code snippets and tags to a third‑party endpoint (as.dun.163.com). Because there is no implementation included, you cannot verify the redaction or exact upload rules. Before installing or enabling cloud mode: 1) Prefer running scans offline (set YIDUN_SKILL_SEC_CLOUD=false) on sensitive code or in an isolated environment. 2) If you plan to enable cloud analysis, test it first on non-sensitive packages to confirm what is sent. 3) Ask the author or vendor for the scanner implementation (or review it) to verify the local redaction pipeline and the exact file-read policies. 4) Limit network access (e.g., firewall) if you cannot audit the implementation. 5) If you use this skill in high-sensitivity contexts, require that cloud uploads be disabled or that the vendor provides a signed, auditable client implementation. These steps will reduce the chance that secrets or unexpected data are exfiltrated.

功能分析

Type: OpenClaw Skill Name: yidun-skill-sec Version: 1.0.1 The skill is a security scanner that performs static behavioral analysis and uploads file hashes and redacted code snippets to a cloud intelligence endpoint (as.dun.163.com). While its actions are consistent with its stated purpose of threat detection, it requires high-risk capabilities including broad filesystem access and outbound network communication to a third-party service. The documentation describes a detailed 'Local Redaction Pipeline' to mitigate data leakage, but the inherent risk of transmitting code-derived metadata and the potential for sensitive data to bypass redaction logic warrants a suspicious classification under the provided criteria.

能力评估

✓ Purpose & Capability

Name/description (security scanner) align with required binaries (curl, jq, openssl) and with the SKILL.md: cloud checks, fingerprinting, and static analysis reasonably require network calls and hash computation.

ℹ Instruction Scope

SKILL.md instructs the agent to read package files, compute fingerprints, run behavioral analysis, and upload redacted evidence (hashes, tags, and code snippets) to as.dun.163.com. That is coherent for a scanner, but the redaction pipeline and exact rules for what is/ isn't uploaded are only described textually — there is no code to verify that full sources, credentials, or other sensitive artifacts will never be uploaded. The scanner also mentions detecting accesses to agent memory and sensitive paths; if implemented poorly, the scanning step itself could read sensitive files. Summary: behavior is expected for the purpose, but the absence of verifiable implementation details raises privacy/exfiltration concerns.

✓ Install Mechanism

Instruction-only skill (no install spec, no code files) — this is low-risk from an installation/execution perspective because nothing is written or executed by default. Requires standard CLI tools only; no downloads from arbitrary URLs.

✓ Credentials

The skill does not request credentials or privileged environment variables. Declared optional env vars (YIDUN_SKILL_SEC_CLOUD, TRUSTED_REGISTRIES, LOG_PAYLOAD) are reasonable for toggling cloud behavior and trusted hosts.

✓ Persistence & Privilege

always is false and the skill is user-invocable; it does not request persistent system-wide privileges or to modify other skills. Autonomous invocation is allowed by platform default but is not combined with other privilege escalations here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install yidun-skill-sec
安装完成后，直接呼叫该 Skill 的名称或使用 /yidun-skill-sec 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

yidun-skill-sec 1.0.1 - Version bump with no code or SKILL.md file change detected. - No new features, fixes, or breaking changes in this release.

v1.0.0

No file changes detected. No updates in this version.

v0.0.7

No user-visible changes in this release. Version number updated to 0.0.7.

v0.0.6

**yidun-skill-sec v0.0.6 Changelog** - Added `YIDUN_SKILL_SEC_LOG_PAYLOAD` environment variable to optionally log the redacted cloud payload locally before upload for auditing. - Updated file hashing algorithm from MD5 to SHA-256 for improved security. - Improved disclosure: clarified that cloud detection data is used only for the current scan and destroyed immediately after analysis. - Documented two-tier domain blacklist: a local embedded list for offline safety, and an augmented cloud list when cloud scanning is enabled. - Added details on how nested archives are handled and tagged for security risk. - Minor improvements to documentation and security policy for greater transparency.

v0.0.5

yidun-skill-sec v0.0.5 — No file changes, metadata update only. - Added documentation for two environment variables: `YIDUN_SKILL_SEC_CLOUD` (to control cloud threat intelligence) and `YIDUN_SKILL_SEC_TRUSTED_REGISTRIES` (to custom-allow registries). - No code changes or new features in this version.

v0.0.4

No functional or documentation changes detected in this release. - Version number updated to 0.0.4. - No changes to code or documentation files.

v0.0.3

**Cloud threat intelligence phase now mandatory with explicit data policy** - Cloud scanning is now a required step; optional/offline fallback removed. - Added a clear security disclosure detailing exactly what package data is uploaded (non-sensitive metadata, trigger snippets, tags only) and what is never uploaded (no source code, credentials, or personal data). - Stated that uploads are sent to NetEase Yidun and are crucial for deep threat detection. - All other functionality and scanning phases remain unchanged.

v0.0.2

No user-facing changes in this release. - Version bump to 0.0.2 with no file or documentation updates detected.

v0.0.1

yidun-skill-sec v0.0.1 - Initial release of hybrid local-cloud security scanner for third-party code packages - Performs source vetting, fingerprinting, static behavioral analysis, and optional cloud intelligence lookup - Detects malware, secrets leaks, privilege abuse, obfuscation, and other suspicious behaviors before install - Auto-downgrades to local-only scanning if offline - Compatible with Linux, macOS, and Windows; requires curl, jq, and openssl

元数据

Slug yidun-skill-sec

版本 1.0.1

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 9

常见问题

Yidun Skill Sec 是什么？

Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intell... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 537 次。

如何安装 Yidun Skill Sec？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install yidun-skill-sec」即可一键安装，无需额外配置。

Yidun Skill Sec 是免费的吗？

是的，Yidun Skill Sec 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Yidun Skill Sec 支持哪些平台？

Yidun Skill Sec 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（linux, darwin, win32）。

谁开发了 Yidun Skill Sec？

由 Yidun（@yd-dev）开发并维护，当前版本 v1.0.1。