AgentShield Scanner — 安全防护工具
v0.5.1和 plugins 用于 安全性 vulnerabilities. Use when: 用户 asks check 技能/plugin 用于 safety, audit 安全性, scan 用于...
0· 292·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (a security scanner) is coherent with its instructions, but it relies on running an external npm package via npx while declaring no required binaries/install — that dependency and the runtime fetch pose supply-chain and operational risks the user should understand before running.
评估建议
This SKILL.md simply tells the agent to run an external npm package via `npx` to perform scans. Before running: (1) verify the npm package origin and author (@elliotllliu) and inspect its source (GitHub repo, package contents) — do not run it blindly; (2) ensure you have npx/node and understand npx will fetch code from the registry at runtime; (3) run the scanner in an isolated environment (container or VM) and against copies of sensitive data when possible; (4) prefer pinned versions or checksu...详细分析 ▾
ℹ 用途与能力
The SKILL.md describes an AI-skill/plugin scanner which matches the name and description. However the runtime examples all use `npx @elliotllliu/agent-shield ...` yet the skill metadata declares no required binaries or install steps — this is an inconsistency (the agent needs npx/node/npm to run the scanner).
✓ 指令范围
Instructions are narrowly scoped to invoking the scanner on local paths, archives, or repository URLs. Scanning necessarily reads files (including secrets) to detect leaks, which is expected behavior for this purpose; the instructions do not direct data to external endpoints themselves, but they do invoke an external package that will run with whatever network/file permissions the runtime grants.
⚠ 安装机制
No install spec or bundled code is included; the SKILL.md instructs using `npx` to fetch and run `@elliotllliu/agent-shield` at runtime. Fetching and executing an external npm package is a moderate-to-high supply-chain risk. The skill does not include provenance, a homepage, or packaged code to inspect locally, increasing the risk.
ℹ 凭证需求
The skill requests no environment variables or credentials in metadata, which is appropriate. Be aware that a scanner will need access to local files and may read secrets to detect leaks — this is proportional to its stated task but is sensitive, so running it requires trust in the scanner implementation.
✓ 持久化与权限
The skill does not request persistent/always-on privileges and does not modify other skills. It is user-invocable and does not claim autonomous always-inclusion, which is appropriate.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install agentshield-scanner
镜像加速npx clawhub@latest install agentshield-scanner --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
AgentShield Scanner — 安全防护工具 安装说明: 安装命令:["openclaw skills install agentshield-scanner","npx clawhub@latest install agentshield-scanner"]