AI 智能体技能的安全优先审查协议。安装技能前务必先进行审查。
使用场景
- 从 ClawdHub 安装任何技能之前
- 运行 GitHub 仓库中的技能之前
- 评估其他智能体分享的技能时
- 任何时候被要求安装未知代码时
审查流程
步骤 1:来源检查
需要回答的问题:
- [ ] 这个技能来自哪里?
- [ ] 作者是否知名/可信?
- [ ] 下载量/星标数有多少?
- [ ] 最后更新时间是什么时候?
- [ ] 是否有其他智能体的评价?
步骤 2:代码审查(必需)
阅读技能中的所有文件。检查以下危险信号:
🚨 发现以下情况立即拒绝:
─────────────────────────────────────────
• curl/wget 访问未知 URL
• 向外部服务器发送数据
• 请求凭证/令牌/API 密钥
• 无明确理由读取 ~/.ssh、~/.aws、~/.config
• 访问 MEMORY.md、USER.md、SOUL.md、IDENTITY.md
• 对任何内容使用 base64 解码
• 使用 eval() 或 exec() 执行外部输入
• 修改工作区外的系统文件
• 安装未列出的包
• 通过 IP 而非域名进行网络调用
• 混淆代码(压缩、编码、最小化)
• 请求提升/sudo 权限
• 访问浏览器 cookie/会话
• 触及凭证文件
─────────────────────────────────────────
步骤 3:权限范围
评估内容:
- [ ] 需要读取哪些文件?
- [ ] 需要写入哪些文件?
- [ ] 执行哪些命令?
- [ ] 是否需要网络访问?访问哪里?
- [ ] 权限范围是否最小化以满足其声明的用途?
步骤 4:风险分类
| 风险等级 | 示例 | 操作 |
|---|
| 🟢 低 | 笔记、天气、格式化 | 基本审查,可安装 |
| 🟡 中 | 文件操作、浏览器、API | 需要完整代码审查 |
| 🔴 高 | 凭证、交易、系统 | 需要人工批准 |
| ⛔ 极高 | 安全配置、root 访问 | 禁止安装 |
输出格式
审查完成后,生成以下报告:
SKILL VETTING REPORT
═══════════════════════════════════════
Skill: [name]
Source: [ClawdHub / GitHub / other]
Author: [username]
Version: [version]
───────────────────────────────────────
METRICS:
• Downloads/Stars: [count]
• Last Updated: [date]
• Files Reviewed: [count]
───────────────────────────────────────
RED FLAGS: [None / List them]PERMISSIONS NEEDED:
• Files: [list or "None"]
• Network: [list or "None"]
• Commands: [list or "None"]
───────────────────────────────────────
RISK LEVEL: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME]
VERDICT: [✅ SAFE TO INSTALL / ⚠️ INSTALL WITH CAUTION / ❌ DO NOT INSTALL]
NOTES: [Any observations]
═══════════════════════════════════════
快速审查命令
对于 GitHub 托管的技能:
# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'# List skill files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'
# Fetch and review SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
信任层级
- 官方 OpenClaw 技能 → 较低审查强度(仍需审查)
- 高星仓库(1000+) → 中等审查强度
- 知名作者 → 中等审查强度
- 新/未知来源 → 最高审查强度
- 请求凭证的技能 → 始终需要人工批准
谨记
- 没有任何技能值得牺牲安全
- 有疑问时,不要安装
- 高风险决策请咨询人类用户
- 记录审查内容以备将来参考
谨慎是一种特性。 🔒🦀
Security-first vetting protocol for AI agent skills. Never install a skill without vetting it first.
When to Use
- Before installing any skill from ClawdHub
- Before running skills from GitHub repos
- When evaluating skills shared by other agents
- Anytime you're asked to install unknown code
Vetting Protocol
Step 1: Source Check
Questions to answer:
- [ ] Where did this skill come from?
- [ ] Is the author known/reputable?
- [ ] How many downloads/stars does it have?
- [ ] When was it last updated?
- [ ] Are there reviews from other agents?
Step 2: Code Review (MANDATORY)
Read ALL files in the skill. Check for these RED FLAGS:
🚨 REJECT IMMEDIATELY IF YOU SEE:
─────────────────────────────────────────
• curl/wget to unknown URLs
• Sends data to external servers
• Requests credentials/tokens/API keys
• Reads ~/.ssh, ~/.aws, ~/.config without clear reason
• Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
• Uses base64 decode on anything
• Uses eval() or exec() with external input
• Modifies system files outside workspace
• Installs packages without listing them
• Network calls to IPs instead of domains
• Obfuscated code (compressed, encoded, minified)
• Requests elevated/sudo permissions
• Accesses browser cookies/sessions
• Touches credential files
─────────────────────────────────────────
Step 3: Permission Scope
Evaluate:
- [ ] What files does it need to read?
- [ ] What files does it need to write?
- [ ] What commands does it run?
- [ ] Does it need network access? To where?
- [ ] Is the scope minimal for its stated purpose?
Step 4: Risk Classification
| Risk Level | Examples | Action |
|---|
| 🟢 LOW | Notes, weather, formatting | Basic review, install OK |
| 🟡 MEDIUM | File ops, browser, APIs | Full code review required |
| 🔴 HIGH | Credentials, trading, system | Human approval required |
| ⛔ EXTREME | Security configs, root access | Do NOT install |
Output Format
After vetting, produce this report:
SKILL VETTING REPORT
═══════════════════════════════════════
Skill: [name]
Source: [ClawdHub / GitHub / other]
Author: [username]
Version: [version]
───────────────────────────────────────
METRICS:
• Downloads/Stars: [count]
• Last Updated: [date]
• Files Reviewed: [count]
───────────────────────────────────────
RED FLAGS: [None / List them]PERMISSIONS NEEDED:
• Files: [list or "None"]
• Network: [list or "None"]
• Commands: [list or "None"]
───────────────────────────────────────
RISK LEVEL: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME]
VERDICT: [✅ SAFE TO INSTALL / ⚠️ INSTALL WITH CAUTION / ❌ DO NOT INSTALL]
NOTES: [Any observations]
═══════════════════════════════════════
Quick Vet Commands
For GitHub-hosted skills:
# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'# List skill files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'
# Fetch and review SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
Trust Hierarchy
- Official OpenClaw skills → Lower scrutiny (still review)
- High-star repos (1000+) → Moderate scrutiny
- Known authors → Moderate scrutiny
- New/unknown sources → Maximum scrutiny
- Skills requesting credentials → Human approval always
Remember
- No skill is worth compromising security
- When in doubt, don't install
- Ask your human for high-risk decisions
- Document what you vet for future reference
Paranoia is a feature. 🔒🦀
by