Code Security Auditor — 安全防护工具
v1.3.0安全性 audit 使用 AI-powered vulnerability detection. Covers OWASP Top 10, dependency scanning, secret detection, SAST, 和 提供 act...
0· 845·5 当前·7 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely matches its stated purpose (local code security auditing) but has inconsistencies and omissions—notably around LLM/cloud integration, undeclared runtime dependencies and credentials, and broad filesystem/CLI operations that could lead to unexpected data transmission if configured to use remote LLMs or tools.
评估建议
This skill appears to implement a legitimate local code-auditor, but take precautions before installing or running it: 1) Expect it to invoke many external CLI tools (pip-audit, npm audit, trufflehog, gitleaks, detect-secrets, cargo audit, mvn, etc.). Ensure you run it in an isolated environment or CI job with minimal privileges. 2) The skill supports LLM-driven verification; if you enable cloud LLM providers, your project code/context may be sent off-host—review llm_integration.py and configura...详细分析 ▾
ℹ 用途与能力
Name/description align with the code and docs: auditor.py, rules, secret-detection, dependency scans and an LLM verification stage all implement a code-audit tool. However the SKILL metadata declares no required env vars or binaries while the code/docs clearly reference external tools (pip-audit, npm audit, trufflehog, gitleaks, detect-secrets) and LLM providers/APIs—this omission is a mismatch that reduces transparency about runtime needs.
⚠ 指令范围
SKILL.md and the code instruct the agent to run wide-reaching scans over a project (traverse files, run trufflehog/gitleaks, run dependency audits) and to perform AI-driven verification. Those actions are expected for an auditor, but the LLM verification stage implies sending code/context to models (README and IMPROVEMENT_REPORT discuss cloud/local LLM providers). The instructions do not clearly warn that using remote LLM APIs will transmit code/extracted context externally, nor do they limit what gets sent. iterate.sh and the auditor write into the workspace (/root/.openclaw/...), which is normal for skill-local state but is global to the agent environment.
ℹ 安装机制
No install spec (instruction-only + bundled code) — lower risk because nothing is downloaded automatically. But the code expects many third-party CLI tools and LLM runtimes to be present; those are not declared in the skill manifest. The lack of an install spec means the skill will attempt to invoke external tools already on PATH, which may fail or behave unexpectedly if absent or different versions.
⚠ 凭证需求
Manifest lists no required environment variables, yet README/IMPROVEMENT_REPORT/llm_integration mention integration options for cloud LLM providers (APIs for Qwen, Aliyun, ChatGLM, CodeLlama/Ollama). If a user configures cloud LLMs, API keys/credentials will be needed. The skill also scans for many secret patterns (including OpenAI keys) and could surface secrets; absence of declared primaryEnv or recommended safe configuration is an omission. Overall requested/used env access is under-declared relative to functionality.
ℹ 持久化与权限
always:false (good). The skill writes reports and learning files into the agent workspace (iterate.sh writes to /root/.openclaw/workspace and .learnings). Writing its own reports is expected for an auditor, but the paths target a global workspace area—users should be aware the skill will create/append files in the agent environment.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install code-security-auditor
镜像加速npx clawhub@latest install code-security-auditor --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Code Security Auditor — 安全防护工具 安装说明: 安装命令:["openclaw skills install code-security-auditor","npx clawhub@latest install code-security-auditor"] 支持国内镜像加速,使用 --registry https://cn.longxiaskill.com 参数可加速下载