📦 OpenClaw Security Suite — 安全防护工具
v0.2.3安全性 suite 用于 OpenClaw skills. Includes static scanning (AST + keywords) 和 AI-powered semantic behavior review detect malicious code.
0· 347·0 当前·0 累计
by @xunxingyuan 安全扫描
OpenClaw
可疑
medium confidenceOverall the package matches its stated purpose (static scanning + AI review) but there are several inconsistencies and privacy/sandboxing concerns you should understand before installing.
评估建议
This package appears to implement what it claims (static scanning + AI review) but there are several things to consider before installing:
- Provenance: the source/homepage is unknown. Prefer packages with a known author or a public repository you can inspect.
- Node requirement mismatch: SKILL.md expects the 'node' binary; ensure your runtime provides Node and that dependencies (@babel packages) are installed.
- Data exposure: the 'review' action inserts full file contents into an LLM promp...详细分析 ▾
ℹ 用途与能力
The code and SKILL.md align with the described purpose: AST scanning, keyword scanning, an LLM-based review, and some runtime guards. Small inconsistencies: SKILL.md lists 'node' as a required binary while the registry metadata earlier said none; README and changelog claim a VM sandbox feature but the runtime code does not consistently use the vm runner (vm_runner.ts exists but is not invoked by the scanner). The package.json declares @babel parser/traverse dependencies which are expected for AST scanning.
⚠ 指令范围
The skill accepts a path and will read all .ts/.js files in that path — so it can read arbitrary files the agent user points it at (this is expected for a scanner but raises data-exposure risk if used on sensitive dirs). The AI review embeds the full file contents into a prompt and calls ctx.llm.generate, which will send the raw code (and any secrets inside it) to the LLM provider; that is a clear data-exfiltration risk if the LLM is external. The code uses node:vm.runInContext in vm_runner.ts (a file present), and the README touts sandboxing, but node:vm is not a secure sandbox for untrusted code and the project explicitly removed vm2 — that change reduces rather than increases guarantees. Also, ai_review simply forwards raw LLM output without JSON validation/parsing, which is brittle and could be manipulated.
ℹ 安装机制
There is no install spec (no remote downloads, no install script), which reduces supply-chain risk. However package.json declares npm dependencies (@babel/parser and @babel/traverse) that must be installed to run the scanner; those are from public npm and are expected for AST parsing. No obscure URLs or archive downloads are used.
✓ 凭证需求
The skill does not request environment variables, credentials, or config paths. It flags process.env and sensitive file paths in its patterns (appropriate for scanning), but it does not itself require secrets. This is proportionate to its stated purpose.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated platform privileges. disable-model-invocation is false (normal), which means the agent can invoke it autonomously — that is the expected behavior for a skill of this type but note that autonomous invocation plus the data-exfiltration mechanism (sending code to an LLM) increases blast radius.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install openclaw-security-suite
镜像加速npx clawhub@latest install openclaw-security-suite --registry https://cn.longxiaskill.com