📦 Skill Security Scanner — 安全扫描

v1.0.0

一键扫描 JS/TS/Python/Shell 文件，自动发现数据泄露、注入、混淆及后门木马等风险，并输出详细安全报告。

0· 179·0 当前·0 累计

by @torchesfrms (moer)

安全开发工具自动化测试工具文件处理

下载技能包

最后更新

2026/4/20

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

The skill's code, scripts, and runtime instructions align with its stated purpose (a local/remote static scanner) and do not request unrelated credentials or installs, but it will execute local shell scripts and read skill directories so run it in a safe environment if you are cautious.

评估建议

This skill appears internally consistent with its stated purpose (a static security scanner). Before running it: (1) review scripts/scan.sh and scan-all.sh to confirm how they handle remote URLs (cloning/downloading) and whether they execute any network commands; (2) run the scanner in a sandboxed environment or VM and avoid running it as root; (3) if you intend to scan your installed skills, consider copying the skills directory to a safe location first; (4) be aware the scanner uses regex-base...

详细分析 ▾

✓ 用途与能力

The name/description (security scanner for JS/TS/Python/Shell) matches the provided artifacts: a CLI wrapper (index.js), a Node scanner (node/scanner.js) implementing regex rules, and shell scripts (scripts/scan.sh, scan-all.sh). No unrelated environment variables, binaries, or cloud credentials are requested.

ℹ 指令范围

SKILL.md explicitly instructs the agent to run local scripts (./scripts/scan.sh, ./scripts/scan-all.sh) against local skill directories and remote URLs. That behavior is coherent for a scanner, but it means the skill will read arbitrary skill directories (e.g., ~/.openclaw/workspace/skills) and may fetch/inspect remote repos. The instructions give the agent permission to execute the included shell scripts (and the code does so via execSync), so the runtime has the ability to perform filesystem and network operations consistent with a scanner.

✓ 安装机制

No install spec is declared (instruction-only at registry level), and the bundle includes local scripts and Node code that will be executed in-place. There are no downloads from untrusted URLs during an install step. This is appropriate for a script-based scanner, but note the skill executes those local scripts when invoked.

✓ 凭证需求

The skill declares no required environment variables or credentials. The scanner's detection rules look for occurrences of cloud-related env vars inside target code (e.g., process.env.AWS_), which is expected for a security scanner and does not imply the skill needs those secrets itself.

✓ 持久化与权限

always:false (normal). The skill does not request permanent system-wide presence and does not modify other skills' configurations in the provided files. It will create/read a local whitelist file inside its package and read user skill directories when run; autonomous invocation is allowed by default (normal) but not forced.

⚠ index.js:8

Shell command execution detected (child_process).

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/18

Skill Security Scanner v1.0.0 — Initial Release - Introduces an enterprise-grade skill security scanner supporting JavaScript, TypeScript, Python, and Shell file types. - Detects four major threat categories: data exfiltration, injection attacks, code obfuscation, and trojans/backdoors. - Implements 57 detailed detection rules, covering 60+ dangerous operation patterns. - Features an intelligence-driven static analysis engine with quantitative scoring (0–100) and clear risk levels. - Supports remote (ClawHub/GitHub) and local scanning, batch operations, detailed risk reports, and user-defined whitelists. - Provides standard report templates, natural language triggers, and full documentation for usage and result interpretation.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install skill-sec-scan-en

镜像加速npx clawhub@latest install skill-sec-scan-en --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库