📦 Safuclaw — 安装前扫描

Name: Safuclaw — 安装前扫描
Rating: 1

v0.1.3

在本地安装任何 AI 技能前，自动执行安全审计：检测恶意代码、提示注入与数据外泄风险，并给出可操作的修复建议，保障系统与数据安全。

1· 429·1 当前·1 累计

by @alikayhan (Ali Kayhan)

安全开发工具智能体自动化工作流

下载技能包

最后更新

2026/4/19

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

high confidence

NULL

评估建议

Key things to consider before installing: - Understand what you will send: the auditor asks for the full SKILL.md and any non-SKILL.md files. These can include API keys, tokens, secrets, or proprietary code — remove or redact any sensitive values before uploading, or avoid uploading and instead run local checks. - Verify the operator: the audit endpoint (https://api.safuclaw.com) and homepage are the only provenance. Confirm the vendor's reputation, privacy policy, and data-retention policy be...

详细分析 ▾

✓ 用途与能力

Name and description match the SKILL.md: the skill is an audit gate that sends skill content to an external audit API. There are no unrelated environment variables, binaries, or install steps requested — the external API approach is coherent with the declared purpose.

⚠ 指令范围

Runtime instructions require sending the entire SKILL.md plus any non-SKILL.md files (full source/install scripts) to https://api.safuclaw.com for analysis. Uploading full file contents to a third party legitimately enables deeper analysis but also risks exfiltrating secrets or sensitive code. The x402 payment flow requires wallet creation/signing and sending 0.99 USDC per audit, which adds financial friction and social-engineering risk (users may be asked to fund wallets). The SKILL.md does not instruct how uploaded files are stored/retained or provide privacy/retention guarantees.

✓ 安装机制

Instruction-only skill with no install spec and no code files to run locally, which reduces surface area. No downloads, no extracted archives, and no binaries are installed by the skill itself.

ℹ 凭证需求

The skill declares no required environment variables or credentials. However, its payment flow asks the agent/user to create or use a Base wallet and sign an x402 payment (private keys and signatures). That operation involves sensitive secrets (wallet private keys) and may require using a signing client; the SKILL.md does not explicitly prohibit sending private keys or signing payloads on an untrusted backend. The lack of declared credentials is consistent, but the wallet/signing requirement raises practical security concerns that are not fully addressed.

✓ 持久化与权限

The skill does not request always:true or elevated persistent presence and has default invocation settings. It does not attempt to modify other skills or system-wide configuration according to the provided files.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv0.1.32026/3/8

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install safuclaw

镜像加速npx clawhub@latest install safuclaw --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库