by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent: it is a thin wrapper that sends a repo/code to the external Claw0x scanning API and only requires an API key; the main risk is that it transmits code to a third-party service, which is expected for this purpose.
评估建议
This skill forwards provided repo URLs or code to the Claw0x Gateway (https://api.claw0x.com). That behavior matches its purpose but has privacy implications: do not send secrets, credentials, or private data you cannot share. Before installing, verify you trust Claw0x (review privacy/security docs), use a dedicated/limited API key, rotate the key if leaked, and prefer a local scanner for highly sensitive code. Review the included handler.ts (it only reads CLAW0X_API_KEY and POSTs the input) and...详细分析 ▾
✓ 用途与能力
Name/description state it will scan skills for vulnerabilities and undeclared permissions; the SKILL.md and handler.ts implement exactly that by calling the Claw0x Gateway API. Requested artifacts (repo_url, skill_slug, code) and the single required env var (CLAW0X_API_KEY) match the stated purpose.
ℹ 指令范围
Runtime instructions and examples consistently instruct the agent to POST skill data (repo URL or code) to https://api.claw0x.com/v1/call. There are no instructions to read unrelated local files or other environment variables. This is expected, but it does mean user code/metadata will be sent to a third-party service — a privacy-sensitive action that the user should be aware of.
✓ 安装机制
Instruction-only skill with no install spec. The included handler.ts is a small network wrapper (uses fetch) and does not write to disk or download/extract remote archives. Low installation risk.
ℹ 凭证需求
Only CLAW0X_API_KEY is required (declared in SKILL.md metadata and enforced by handler.ts). That single credential is proportional to a remote service wrapper. Users should still treat the key as sensitive because it authorizes requests that may transmit code to the external API.
✓ 持久化与权限
always is false and the skill does not request elevated privileges, nor does it modify other skills or global agent config. Model invocation is allowed (the platform default), which is appropriate for a callable scanner.
⚠ handler.ts:9
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install security-scanner-plus
镜像加速npx clawhub@latest install security-scanner-plus --registry https://cn.longxiaskill.com