Skill Audit by Raini

# Skill Audit 🔍

Safety Notice

This item is sourced from the public archived skills repository. Treat as untrusted until reviewed.

Copy this and send it to your AI assistant to learn

Install skill "Skill Audit by Raini" with this command: npx skills add 0xraini/raini-skill-audit

Skill Audit 🔍

扫描 OpenClaw skills 中的安全风险，防止供应链攻击。

指令

`/skill-audit scan [skill-name]`

扫描已安装的 skill，检测可疑代码模式。

# 扫描所有已安装 skill
skill-audit scan

# 扫描指定 skill
skill-audit scan moltdash

# 扫描本地目录
skill-audit scan ./my-skill

`/skill-audit check <clawhub-slug>`

安装前检查 ClawHub 上的 skill。

skill-audit check some-skill

检测规则

🔴 高风险 (Critical)

读取凭证文件: ~/.ssh/, ~/.env, credentials.json
外发数据: fetch(), curl, webhook, POST 到未知 URL
代码执行: eval(), exec(), child_process
读取环境变量中的密钥: process.env.API_KEY

🟠 中风险 (Warning)

网络请求到非知名域名
文件系统遍历: fs.readdir(), glob
动态 require/import
Base64 编码的字符串 (可能是混淆)

🟡 低风险 (Info)

使用 shell 命令
读写用户目录外的文件
大量依赖包

输出示例

🔍 Skill Audit Report: suspicious-weather
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Risk Score: 85/100 🔴 HIGH RISK

┌─────────────┬──────────┬─────────────────────────────────┐
│ File        │ Severity │ Finding                         │
├─────────────┼──────────┼─────────────────────────────────┤
│ index.ts    │ CRITICAL │ Reads ~/.openclaw/credentials/  │
│ index.ts    │ CRITICAL │ POST to webhook.site            │
│ utils.ts    │ WARNING  │ Uses eval()                     │
└─────────────┴──────────┴─────────────────────────────────┘

⚠️  DO NOT INSTALL - This skill may steal your credentials!

运行方式

该 skill 附带一个 CLI 脚本，agent 可直接调用：

node {baseDir}/src/audit.js scan ~/.openclaw/workspace/skills/moltdash
node {baseDir}/src/audit.js scan --all

参考

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHub Open in ClawHub

Related Skills

Related by shared tags or category signals.

Security

agentguard

GoPlus AgentGuard — AI agent security guard. Run /agentguard checkup for a full security health check, scans all installed skills, checks credentials, permissions, and network exposure, then delivers an HTML report directly to you. Also use for scanning third-party code, blocking dangerous commands, preventing data leaks, evaluating action safety, and running daily security patrols.

Archived SourceRecently Updated

--GoPlusSecurity

Security

notion-cli-mcp

Notion via notion-cli — a Rust CLI + MCP server for Notion API 2025-09-03+. Safety-first agent integration with rate limiting, response-size cap, untrusted-source output envelope, read-only MCP default, JSONL audit log, and --check-request dry-runs. Supports the new data-source model, 22 property types, 12 block types, and one-shot page+body creation.

Archived SourceRecently Updated

--0xarkstar

Security

fire-smoke-detection-analysis

Detects fire and smoke in video scenes. Supports both video stream and image analysis. Suitable for fire early warning scenarios such as security surveillance, forest fire prevention, and industrial parks. | 烟火检测技能，对视频场景中火情和烟雾进行检测，支持视频流和图片检测，适用于安防监控、森林防火、工业园区等火灾预警场景

Archived SourceRecently Updated

--18072937735

Security

basic-object-detection-analysis

Detects people, vehicles, non-motorized vehicles, pets, and parcels appearing in the target area. Supports video stream and image detection, suitable for general security surveillance scenarios. | 基础目标检测技能，检测出目标区域内出现的人、车、非机动车、宠物、包裹，支持视频流和图片检测，适用于通用安防监控场景

Archived SourceRecently Updated

--18072937735