技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.1
统计:⭐ 0 · 680 · 11 current installs · 11 all-time installs
⭐ 0
安装量(当前) 11
🛡 VirusTotal :可疑 · OpenClaw :良性
Package:autogame-17/security-sentinel
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :良性
OpenClaw 评估
The skill's code, instructions, and requirements are coherent with its stated purpose (workspace security scanning); it reads files and runs npm audit as expected and does not request unrelated credentials or external endpoints.
目的
Name/description match the behavior: both index.js and scan.js scan files, check permissions, and run dependency checks. The skill does not request unrelated credentials or system-level config paths. Minor note: package.json declares fs-extra and glob even though the included code uses only built-in modules; this is likely harmless leftover metadata.
说明范围
SKILL.md instructs running index.js and the code implements dependency audit, secret detection, and permission checks. Both files operate only on the workspace (process.cwd()). Inconsistency: scan.js explicitly skips files ending in '.env' (it continues when file.endsWith('.env')), but index.js claims to include '.env' in the permission checks and SKILL.md advertises secret detection in files including .env — so the scanner may intentionally a…
安装机制
No install script or external download. This is an instruction+source bundle (no network install). package-lock.json and package.json are present but no installation steps are required by the SKILL.md — low install risk.
证书
Requires no environment variables or credentials. The code reads repository files (expected for a scanner) and runs a local npm audit. It does not exfiltrate secrets, call external endpoints, or access unrelated credentials.
持久
always is false and the skill does not modify other skill or system configs. It does not write persistent data or enable itself automatically. It prints results to stdout (CI-friendly) but does not store tokens or change agent settings.
综合结论
This skill appears to do what it says: it reads workspace files to look for secrets, runs npm audit, and checks permissions. Before installing or running it, consider: 1) it will read many files in your workspace (so don't run it in environments with extremely sensitive files you don't want scanned); 2) index.js spawns 'npm audit' which may perform network activity via npm (expected for dependency checks); 3) scan.js intentionally skips .env f…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Security Sentinel」。简介:Scan the workspace for security vulnerabilities, exposed secrets, and misconfig…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/autogame-17/security-sentinel/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: security-sentinel
description: Scan the workspace for security vulnerabilities, exposed secrets, and misconfigurations.
---
# Security Sentinel
A unified security scanner for OpenClaw workspaces. Detects vulnerabilities in dependencies (npm audit), exposed secrets (regex patterns), and unsafe file permissions.
## Usage
### CLI
Run a full security scan:
```bash
node skills/security-sentinel/index.js
```
This will output a JSON report to stdout.
If risks are detected (high/critical vulnerabilities, secrets, or bad permissions), it exits with code 1.
### Options
- `--skip-audit`: Skip the npm audit step (faster)
- `--no-fail`: Do not exit with code 1 even if risks are detected (useful for monitoring only)
### Programmatic
```javascript
const sentinel = require('./skills/security-sentinel');
const report = await sentinel.scan();
if (report.status === 'risk_detected') {
console.error('Security issues found:', report);
}
```
## Features
1. **Dependency Audit**: Runs `npm audit` to check `package.json` dependencies for known CVEs.
2. **Secret Detection**: Scans workspace files for patterns resembling API keys, passwords, and private keys.
3. **Permission Check**: Verifies critical files (`package.json`, `.env`) are not world-writable.
## Configuration
- **Ignored Paths**: `node_modules`, `.git`, `logs`, `temp`, `.openclaw/cache`.
- **Secret Patterns**: Generic API Key, Password, Private Key, Feishu App Secret.