by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent: it is an instruction-only code-review helper that requests no installs, credentials, or unusual access and its runtime instructions match the stated purpose.
评估建议
This skill appears to do what it says: review the workspace for security issues and suggest fixes. Before running it, consider: (1) the skill will read files in your current workspace — remove or temporarily redact any secrets, credentials, or sensitive files you don't want inspected or leaked in output; (2) scope the review (specific files or directories) rather than scanning an entire repository if it contains private keys or production credentials; (3) run the review on a local copy or saniti...详细分析 ▾
✓ 用途与能力
Name, description, and instructions all describe a code security review. The skill requires no binaries, env vars, or config paths, which is proportionate for an instruction-only code-review helper. Note: the package source/homepage is unknown (no provenance), which reduces external trust but does not create technical incoherence.
ℹ 指令范围
SKILL.md tells the agent to review code in the current workspace for specific issues and to produce fixes/patches. It does not instruct network exfiltration or reading unrelated system files. Important operational note: 'current workspace' implies the agent will read project files (which may include secrets or credentials); this is expected behavior for a code-audit skill but worth being aware of and scoping before use.
✓ 安装机制
No install specification and no code files — the skill is instruction-only, so nothing is written to disk or fetched during install. This is the lowest-risk install profile.
✓ 凭证需求
The skill requests no environment variables, credentials, or config paths. That aligns with its purpose as a local code reviewer and is proportionate.
✓ 持久化与权限
Flags show always:false and user-invocable:true (defaults). The skill does not request persistent presence or system-wide changes. Model invocation is enabled by default (disable-model-invocation:false) which is normal for skills; this alone is not a red flag.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/4/6
initial release
● 无害
安装命令 点击复制
官方npx clawhub@latest install code-security
镜像加速npx clawhub@latest install code-security --registry https://cn.clawhub-mirror.com
技能文档
只报真实风险,不制造恐慌。
工作流
- 找出信任边界、用户输入、特权操作和敏感数据路径。
- 重点检查注入、路径穿越、XSS、不安全反序列化、认证授权缺陷、密钥泄露、不安全日志和命令执行问题。
- 同时评估可利用性和影响面,不夸大低置信度问题。
- 用清晰等级标记风险,如 critical、high、medium、low。
- 给出直接可落地的修复建议,能给代码补丁时优先给补丁。
- 如果本轮无法彻底关闭风险,就说明残余风险和后续检查点。
输出
- 风险点
- 风险等级
- 影响说明
- 修复方案
- 可直接使用的补丁或代码建议
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制