by 安全扫描
OpenClaw
安全
medium confidenceThe skill's requirements and instructions are internally consistent for running an npm-based config scanner, but it relies on running an unvetted npm package (via npm/npx) and includes an optional external-analysis mode that can send sensitive config data to Anthropic — exercise caution before running.
评估建议
This skill is coherent for its stated purpose (running an npm-based Claude Code config scanner) but has two operational risks you should consider before installing/using it:
- npx/npm execution risk: The recommended usage runs ecc-agentshield from the npm registry. npx executes code fetched from npm at run time — only run this if you trust the package author or after reviewing the package source (repository, package contents, and maintainers). Prefer installing in a sandbox or CI job with limit...详细分析 ▾
✓ 用途与能力
The name/description (audit Claude Code configs with AgentShield) matches the declared requirements: node/npm are listed and the SKILL.md instructs running the npm package ecc-agentshield. No unrelated credentials, binaries, or config paths are requested.
ℹ 指令范围
Instructions explicitly tell the agent to scan CLAUDE.md, settings.json, mcp.json, hooks/, and agents/ — all within the stated purpose. However the SKILL.md exposes an optional deep analysis flag (--opus --stream) that requires ANTHROPIC_API_KEY and would transmit scanned content to an external API; the document does not warn about sending sensitive configuration or secrets to an external service.
ℹ 安装机制
There is no install spec in the registry (instruction-only), but SKILL.md recommends npm install -g or npx ecc-agentshield. Using npx installs/executes code from the public npm registry at runtime — a moderate risk if the package is unvetted or malicious. No direct download URLs or extract steps are present, which is better than arbitrary URL downloads, but the package identity/source is unknown (no homepage or repository listed).
✓ 凭证需求
The skill declares no required environment variables and lists ANTHROPIC_API_KEY as optional for deep analysis; this is proportionate to the optional feature. There are no unrelated or excessive credential requests. Be aware that providing ANTHROPIC_API_KEY will allow the tool to send scanned data to an external API.
✓ 持久化与权限
always is false and there is no install script or code in the skill bundle that would persist or modify other skills or system settings. The skill is instruction-only and does not demand permanent presence or elevated privileges.
安全有层次,运行前请审查代码。
运行时依赖
OSLinux · macOS · Windows
版本
latestv1.0.0
Onboarding to repo with existing configs
● 无害
安装命令
点击复制官方npx clawhub@latest install claude-code-security-scan
镜像加速npx clawhub@latest install claude-code-security-scan --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Claude Code Security Scan — 安全防护工具 安装说明: 安装命令:["openclaw skills install claude-code-security-scan","npx clawhub@latest install claude-code-security-scan"]