by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code and runtime instructions are consistent with a local security scanner/patrol tool, but it will by default call a third‑party cloud endpoint (skill name + source) and write baseline/reports into the agent workspace — review that behavior before installing.
评估建议
This package appears to implement the security features it claims, but review and decide on two policy points before installing:
1) Cloud intel endpoint: the code includes a default Tencent endpoint and will perform a GET request (skill_name and source as query params) when you call the scanner with a skill_name. If you do not want any network calls, either set CLAW_SECURITY_CLOUD_ENDPOINT to an empty value or avoid passing a skill_name to the cloud-checking APIs. The code documents the behavio...详细分析 ▾
✓ 用途与能力
Name/description (multi-layer security: static scan, logic audit, runtime protection, periodic patrol) match the shipped modules and exported APIs. The files implement the declared capabilities and there are no unrelated credentials, binaries, or surprising external dependencies.
ℹ 指令范围
SKILL.md instructs the agent to run local scanning, logic auditing, runtime input checks, and scheduled patrols — all implemented in the code. The instructions do cause the skill to read other skills' files (scanning /app/working/skills) and to call RuntimeProtector before user inputs if integrated; this is expected for a security tool but grants the skill broad read access within the agent workspace.
✓ 安装机制
No external install spec (instruction-only installer) and the package uses only bundled Python standard-library code. Nothing is downloaded or executed from arbitrary URLs during install.
ℹ 凭证需求
No required secrets or env-vars are declared; an optional CLAW_SECURITY_CLOUD_ENDPOINT env var can override a default cloud endpoint. However the code ships with a non-empty default endpoint (https://matrix.tencent.com/clawscan/skill_security) and will query it (skill_name + source) if a skill_name is provided — this causes network traffic to a third party even with zero config. No local files or credentials are sent, per code, but the network call and its default should be considered before enabling.
ℹ 持久化与权限
The skill writes baseline and report files to /app/working/security and /app/working/logs/security and scans /app/working/skills; it does not request always:true or system-level privileges. Creating and updating baseline/report files is consistent with its stated patrol role but grants it persistent artifacts in the agent workspace.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/3/17
- No code or documentation changes detected in this release. - Version bump to 1.1.0 with no content modifications.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install claw-security-suite
镜像加速npx clawhub@latest install claw-security-suite --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制