by 安全扫描
OpenClaw
可疑
high confidenceThe skill claims to perform active red-team scans (prompt injection, secret extraction, tool abuse) but the provided files do not implement those capabilities and the code attempts to import an external module from the host filesystem — this mismatch and filesystem import are concerning.
评估建议
This skill currently appears incomplete and inconsistent with its description. Before installing or running it: 1) Ask the publisher for the missing agent_redteam package or the full source for repo_scanner and review it for network calls and credential access. 2) Do not run the skill against production or sensitive agents — run it in an isolated sandbox first. 3) Be wary of the code altering sys.path to import from parent directories (this can cause the skill to execute unrelated host code). 4)...详细分析 ▾
⚠ 用途与能力
The SKILL.md and metadata claim full red-team capabilities (prompt injection detection, secret extraction, tool abuse). The bundled main.py does not implement those features: the 'scan' subcommand only prints 'Found 0 issues', and the repo-scanning behavior delegates to an external module (agent_redteam.repo_scanner) that is not included. The advertised capabilities are not implemented in the provided files.
⚠ 指令范围
Runtime instructions tell users to run '@redteam scan <agent-id>' to start a security scan, but the implementation does not perform any agent scanning. main.py modifies sys.path to import agent_redteam from two levels up, which means the skill expects to load code from the host environment — a scope expansion not documented in SKILL.md. That external import could access unrelated code or data.
✓ 安装机制
No install spec is present (instruction-only plus a single Python script). Nothing is written to disk by an installer, which lowers supply-chain risk. However, the lack of a packaged dependency for agent_redteam means functionality is incomplete or relies on out-of-band components.
ℹ 凭证需求
The skill declares no required environment variables or credentials, which is reasonable for a scanner. However, the code's sys.path manipulation to import agent_redteam from parent directories effectively asks to load code from the agent host filesystem; that can provide access to other modules or files and should be justified. No explicit credentials are requested but host code access increases risk.
✓ 持久化与权限
The skill does not request always:true, does not claim persistent presence, and does not modify agent config in the provided files. Autonomous invocation is allowed by default but is not combined with other privilege-escalating flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install redteam
镜像加速npx clawhub@latest install redteam --registry https://cn.longxiaskill.com