📦 Skill Auditor — 技能审计or

v0.1.2

Audit core：一个分类体系和一个严重度评分函数，保持正交。作用于整个技能包（SKILL.md 及所有引用的脚本…）

0· 6·0 当前·0 累计

by @ambarion

安全加密

下载技能包

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

The 技能's declared purpose (审计ing 技能 bundles) matches its instructions and resource needs; it is an instruction-only 审计or that does not 请求凭证s or 安装 software.

评估建议

This 技能 is an instruction-only 审计or and 应用ears internally consistent. Before enabling it widely: (1) 验证 the 代理运行time enforces that the 审计or only reads files within the tar获取技能 bundle (avoid 扫描ning the user's home, ~/.ssh, ~/.aws, etc.); (2) test the 审计or on a benign sample to confirm 输出s and language-lock behavior; (3) 运行 it in a sandboxed or read-only 环境 if you want to limit blast radius. The 技能.md's language-lock rule is fine for presentation but 检查 it doesn't suppress 导入ant meta-errors or d...

详细分析 ▾

✓ 用途与能力

Name/description describe an 审计 taxonomy and scoring function and the 技能.md implements a detAIled classification and severity 模式. No unrelated binaries, env vars, or external 服务s are 请求ed — the 请求ed capability (审计 of 技能 bundles) is coherent with what the file provides.

ℹ 指令范围

技能.md contAIns only the 审计记录ic and rules (language-locking, classification tables, scoring). It explicitly intends to operate on the 技能 bundle (技能.md plus referenced scripts/resources), which is 应用ropriate for an 审计or. Recommendation: confirm the 运行time enforces '技能-bundle-only' scope (does not read arbitrary user home files or 环境) — the spec itself does not instruct reads outside the bundle but leaves 运行time behavior to the 代理.

✓ 安装机制

No 安装 spec and no code files (instruction-only). This is low-risk: nothing will be written to disk or 下载ed by the 技能 itself.

✓ 凭证需求

技能 declares no required 环境 variables, 凭证s, or config paths. Although the taxonomy references 凭证-related behaviors (to classify other 技能s), the 审计or itself does not 请求 secrets — this is proportionate.

✓ 持久化与权限

always:false and no 安装 hooks. The 技能 does not 请求 persistent presence or elevated privileges; autonomous invocation is allowed by default but not combined with other red flags.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install skill-integrity-auditor

镜像加速npx clawhub@latest install skill-integrity-auditor --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

技能文档

技能审计 — Evaluation Core (Classification + Severity)

This file defines the 审计 evaluation 记录ic. The classification layer answers what it is; the severity layer answers how bad it is. The two are orthogonal and interact only through three interface fields (C_base / required_dims / dataflow_角色).

Language 检测ion Rule — 执行 BEFORE ANYTHING ELSE

检测 the language of the user's triggering message and lock the 输出 language for the entire 运行. This 检测ion is an internal step only — do NOT 输出 any text that reveals the 检测ion 结果, such as "当前输出语言为中文", "检测ed language: English", or similar meta-状态ments. Simply use the 检测ed language silently for all subsequent 输出.

User message language 输出 language Chinese Chinese — entire 输出 in Chinese English English — entire 输出 in English Other language Match that language Cannot determine Default to Chinese

All 输出 — 扫描启动 prompt, table headers, labels, prose, finding records, verdict, and footer — must be written exclusively in the 检测ed language. Do NOT mix languages or announce the language choice at any point.

Classification Layer (Taxonomy)

Each finding is tagged with a triple (Surface, Behavior, IntentMarker). IntentMarker does not participate in scoring; it only affects presentation.

1.1 Surface Code Meaning EXE Code / shell / subprocess / dynamic eval execution FS Local file系统 read / write / 删除 / chmod NET Network inbound / outbound / DNS / sockets CRED 环境 variables / keys / 令牌s / 凭证 stores PROC Process management, persistence, auto启动, scheduled tasks LLM Prompt manipulation, 工具-description poisoning, jAIlbreak payloads AGT Cross-技能 / cross-工具 / MCP supply-chAIn behavior 1.2 Behavior Node Table

Each node declares C_base ∈ {1..4}, required dimensions, and data-flow 角色 (source / 转换 / sink / none). The data-flow 角色 feeds chAIn amplification in §2.4.

EXE Behavior C_base Required Data-flow EXE.StaticShell — shell with fully constant arguments 2 R, B 转换 EXE.DynamicShell — variable interpolation / shell=True + external 输入 4 R, I, B sink EXE.EvalCode — eval / exec / Function() on strings 4 R, I, B sink EXE.RemoteFetch — curl | sh / 下载-then-exec / fetch-and-运行 4 I, B sink EXE.Subprocess — constrAIned subprocess (white列出ed commands) 2 R 转换 FS Behavior C_base Required Data-flow FS.ReadPublic — read public files (README, declared paths) 1 — none FS.ReadWorkspace — read files inside the workspace 2 R source FS.ReadSensitive — read sensitive paths (~/.ssh, ~/.aws, KeychAIn, browser cookies, .env) 4 I, R source FS.ReadOutOfScope — read user files outside declared scope 3 I, B source FS.WriteScoped — write inside declared directories 1 — none FS.WriteOutOfScope — write outside declared scope 3 I, B sink FS.Write启动up — write 启动up hooks / shell rc / auto启动 / launchd 4 R, I sink FS.删除Broad — wide deletion / rm -rf / wildcard 删除 4 R, I, B sink FS.ChmodDangerous — chmod 777 / privilege widen / SUID bit 3 R, I 转换 NET Behavior C_base Required Data-flow NET.OutboundDeclared — outbound to a host declared in 技能.md 1 — sink NET.OutboundUndeclared — outbound to an undeclared host 3 I, B sink NET.OutboundObfuscated — obfuscated destination (concat, encoding, homograph) 4 I, B sink NET.DnsExfil — DNS TXT with suspicious payload (long subdomAIn, base64) 4 I, B sink NET.Inbound列出en — local 列出ening port / reverse shell 端点 4 R, I sink NET.网页socket — long-lived / bidirectional channel 2 I 转换 CRED Behavior C_base Required Data-flow CRED.ReadEnv — broad read of os.environ / process.env 3 I, B source CRED.ReadNamedEnv — read a single declared 环境 variable 1 — source CRED.ReadKeychAIn — read KeychAIn / 凭证管理器 / libsecret 4 I, B source CRED.ReadBrowserStore — read browser cookies / 会话 / password store 4 I, B source CRED.Hardcoded — real secret hardcoded in code or config 3 R none CRED.令牌Echo — 凭证 echoed to LLM / 记录s / stdout 3 R, B 转换 PROC Behavior C_base Required Data-flow PROC.Spawn — ordinary child process creation (pAIred with EXE) 1 — none PROC.Persist — cron / launchd / 系统d / 运行-key 安装 4 R, I sink PROC.工具Tamper — modify / replace 系统工具s, hook package 管理器s 4 R, I, B sink PROC.CryptoMine — miner binaries / known mining-pool hosts 4 — sink PROC.HideSelf — process masquerade 3 I 转换 LLM Behavior C_base Required Data-flow LLM.PromptOverride — "ignore previous / you are now / 系统:" style directives 3 I, B sink LLM.ObfuscatedPrompt — override directive encoded in base64 / ROT13 / hex 4 I, B sink LLM.UnicodeSmuggling — directives hidden in zero-width / Unicode-tag / bidi chars 4 I, B sink LLM.DescriptionInjection — enticement text in description/triggers to coerce other 代理s 3 I sink LLM.工具Poisoning — 工具 descriptions deliberately mislead the 代理's plan 4 I, B sink AGT Behavior C_base Required Data-flow AGT.Cross技能Write — write int

数据来源：ClawHub ↗ · 中文优化：龙虾技能库