首页 / 技能 / mathematical audit skills — 技能工具

📦 mathematical audit skills — 技能工具

v3.5.4

Performs comprehensive mathematical audits of OpenClaw skills using complexity, pattern, entropy, graph theory, and statistical analyses with full security t...

0· 85·0 当前·0 累计
znsyhandao 头像by @znsyhandao·MIT-0
安全MCP工具
下载技能包
License
MIT-0
最后更新
2026/4/10
0
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The skill's code matches its stated read-only, offline mathematical-audit purpose, but repository artifacts contain contradictory security reports and missing/unclear verification scripts — this mismatch warrants caution before installation.
评估建议
The code itself appears to do exactly what the skill claims: read Python files and compute entropy/complexity metrics without network access or dynamic execution. However, there are contradictory security artifacts (a Bandit JSON showing a parse error vs. markdown saying 'no issues') and a referenced verification script that isn't present. Before installing or running in a non-sandboxed environment, do the following: (1) run an independent static scan (bandit, grep for eval/exec/compile, subproc...
详细分析 ▾
用途与能力
The name/description (mathematical audit) align with the included Python implementation: skill.py performs read-only file reads, computes entropy and simple complexity metrics, and audits .py files. There are no declared env vars, binaries, or unrelated dependencies.
指令范围
SKILL.md instructs only local, read-only analysis (running skill.py or openclaw skill run). The code implements only file reads and in-process analysis (no eval/exec, no subprocess, no networking). However SKILL.md contains verification snippets and refers to a verification script (verify_security.py) and specific grep checks; the repo manifest does not include a separate verify_security.py file even though bandit_report.json references it. The verification guidance also only greps skill.py — it does not verify other files that the tool may read when auditing a target directory.
安装机制
No install spec (instruction-only with code bundled). No downloads or external installers are present. This is low-risk from an install mechanism perspective.
凭证需求
No required environment variables, no credentials, and no requested config paths — proportional to a local code-auditing tool.
持久化与权限
Skill is not always-enabled and does not request persistent/background privileges. It runs on-demand and does not modify agent/system configuration.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv3.5.42026/4/9

Version 3.5.4 - Complete security fixes; all ClawHub scan issues resolved. - SECURITY_CLARIFICATION.md removed. - Documentation updated and clarified on security verification and audit procedures. - Ready for final submission.

可疑

安装命令

点击复制
官方npx clawhub@latest install mathematical-audit-skills
镜像加速npx clawhub@latest install mathematical-audit-skills --registry https://cn.longxiaskill.com

技能文档

version: 3.5.4 | Read-Only File Access, No Network Access, No Dynamic Execution

Description

A mathematical depth audit tool for OpenClaw skills and code. Provides mathematical quality assessment based on complexity analysis, pattern recognition, entropy analysis, and structural analysis.

Security Guarantees - Verified

  • Read-Only File Access: Reads target files for analysis only, no writes or modifications
  • No Network Access: Completely offline processing, no HTTP/HTTPS calls
  • No Dynamic Code Execution: 100% static analysis only, no eval/exec/compile
  • No Background Processes: Runs only when explicitly called, no daemon
  • No Subprocess Calls: No shell execution, no external process spawning
  • No External Dependencies: Pure Python, no requests/numpy/scipy required

What This Skill Does

  • Mathematical Complexity Analysis: Measures code complexity using Shannon entropy
  • Pattern Recognition: Detects functions, classes, imports, and comments
  • Structural Analysis: Analyzes indentation patterns and nesting depth
  • Statistical Analysis: Performs statistical analysis of code metrics
  • Quality Assessment: Provides overall quality score and certification rate

What This Skill Does NOT Do

No file writes or modifications - Cannot modify any files (read-only) ❌ No network calls - Cannot access localhost or any network ❌ No dynamic execution - Cannot execute any code (no eval/exec/compile) ❌ No background processes - No daemon, no monitoring, no services ❌ No subprocess calls - No shell execution, no external processes ❌ No external dependencies - No requests, numpy, scipy, etc.

Usage

# Install the skill
openclaw skill install mathematical-audit
# Run audit on a target
openclaw skill run mathematical-audit --target /path/to/skill
# Or use directly
python skill.py /path/to/target

Output Format

The skill returns a JSON report with:

  • Overall score (0.000 to 1.000)
  • Quality level (poor/fair/good/excellent)
  • Certification rate (percentage)
  • Detailed analysis per file
  • Statistical summary

Security Verification

File Access Clarification:

This skill reads target files for analysis (required for code audit) but:
  • Only reads - never writes or modifies files
  • Read-only access - uses open(file, 'r') not open(file, 'w')
  • Temporary access - files are read, analyzed, then closed

How to Verify Security:

1. Quick Command Line Checks:

# Check for network access
grep -r "import requests\|import urllib\|import http\|import socket\|http://\|https://" skill.py
# Check for dynamic execution
grep -r "eval(\|exec(\|compile(\|__import__" skill.py
# Check for subprocess calls
grep -r "import subprocess\|subprocess\.\|os\.system\|shell=True" skill.py
# Check for file writes
grep -r "open(.'w'\|open(.\"w\"" skill.py

2. Bandit Security Scan:

pip install bandit
bandit -r .

3. Manual Python Verification:

#!/usr/bin/env python3
import sys
def check_security():
    with open('skill.py', 'r') as f:
        content = f.read()
    
    issues = []
    
    # Check patterns
    checks = [
        ("Network", ["requests", "urllib", "http.client", "socket"]),
        ("Dynamic", ["eval(", "exec(", "compile(", "__import__("]),
        ("Subprocess", ["subprocess", "os.system", "shell=True"]),
        ("File writes", ["open(", "'w'", '"w"', "'wb'", '"wb"']),
    ]
    
    for check_name, patterns in checks:
        for pattern in patterns:
            if pattern in content:
                issues.append(f"{check_name}: {pattern}")
    
    if issues:
        print("Security issues found:")
        for issue in issues:
            print(f"  - {issue}")
        return False
    else:
        print("All security checks passed")
        return True
if __name__ == "__main__":
    if check_security():
        sys.exit(0)
    else:
        sys.exit(1)

Expected Results:

  • Command line checks: No output (no matches found)
  • Bandit scan: No issues identified
  • Manual verification: All checks passed

Version History

v3.5.4 (2026-04-10)

  • Version bump for complete security fixes
  • All ClawHub scan issues resolved
  • Ready for final submission

v3.5.2 (2026-04-10)

  • Fixed contradictory "no file system access" declaration
  • Added accurate "read-only file access" description
  • Responded to ClawHub security scan feedback

v3.5.1 (2026-04-10)

  • Removed all eval(), exec(), compile() calls
  • Removed all file write operations
  • Removed all network access
  • Removed all subprocess calls

v3.5.0 (2026-04-09)

  • Initial release (had security issues)
  • Full mathematical audit framework
  • Multiple security risks identified
  • ClawHub scan: SUSPICIOUS

License

MIT License - Free to use, modify, and distribute.

数据来源ClawHub ↗ · 中文优化:龙虾技能库