📦 Skill Security Scanner — 技能安全扫描

Name: Skill Security Scanner — 技能安全扫描
Rating: 1

v1.0.1

在正式安装任何技能前，一键深度扫描OpenClab技能库，精准检测凭据窃取、代码注入、数据外泄及混淆等高危风险，输出可视化报告与修复建议，保障系统与数据安全。

1· 767·4 当前·6 累计

by @suryast

安全测试工具开发工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

The skill's code and instructions implement a local, grep-based security auditor that is consistent with its description and does not request unrelated credentials or external installs.

评估建议

This looks like a coherent local security auditor. Before running it: (1) review the shipped scripts yourself (they will execute locally and read files you point them at); (2) be aware the scanner uses broad regexes and can produce false positives—manually inspect any HIGH/CRITICAL matches; (3) confirm blocklist.txt and allowlist.txt are stored where you expect (they are in the skill directory) before trusting automatic writes; (4) note the SKILL.md advertises paid 'premium' links — unrelated to...

详细分析 ▾

✓ 用途与能力

The SKILL.md and included shell scripts implement a static, pattern-based scanner for skills (network calls, credential file access, dynamic execution, base64, env access). The files present (audit.sh, audit-all.sh, preinstall-check.sh, allowlist/blocklist) are exactly what a simple local auditor would need; no unrelated cloud credentials, binaries, or config paths are requested.

ℹ 指令范围

Instructions are focused on running local audits and integrating a pre-install check. The auditor scans arbitrary skill directories (as intended) and prints matching lines; it does not send data externally. Note: the regexes are broad and will produce false positives (and may match comments or benign code). Also review the scripts before running, since they will read files you point them at and print matching lines (which could include secrets).

✓ 安装机制

No install spec is provided (instruction-only with shipped scripts). That is low-risk from an install-network perspective. The provided scripts will be executed locally by the user/agent; they write to local blocklist/allowlist files in the skill directory, which is reasonable for a scanner.

✓ 凭证需求

The skill requests no environment variables or credentials. The scripts use common environment values (HOME, provided skill path) only. There are no declared or hidden credential requirements.

✓ 持久化与权限

always is false and the skill does not attempt to modify other skills' configs or system-wide agent settings. It does persist its own allowlist/blocklist files in its directory, which matches its purpose.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/2/22

Add premium skills promo links

● 可疑

安装命令

点击复制

官方npx clawhub@latest install skill-security

镜像加速npx clawhub@latest install skill-security --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库