技能详情(站内镜像,无评论)
作者:vx:17605205782 @52YuanChangXing
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 28 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:52yuanchangxing/sbom-explainer
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's code, instructions, and requirements are coherent with its stated purpose (turn SBOMs/dependency lists into non-technical, structured risk briefings); it is read-only, requires only python3, and does not request credentials or network access — but the provided script can read arbitrary files under any directory you point it at, so run it only against intended inputs.
目的
Name/description match the included files and script. The bundle contains templates, a spec.json, examples, and a Python script that formats input SBOM/dependency material into the indicated structured brief. Required binary (python3) is appropriate and minimal.
说明范围
SKILL.md confines the skill to explanation/briefing (not scanning or making changes) and instructs using scripts/resources. The run.py implementation performs read-only analysis and templating. However, run.py accepts directories and will recursively read many text file types under whatever path is given, so the agent or user must avoid supplying sensitive system directories as input.
安装机制
No install spec is present (instruction-only skill with a local script). This is low risk: nothing is downloaded or written to system locations by an installer.
证书
No environment variables, credentials, or config paths are required. The script performs local file reads only and does not contact external endpoints or require secrets.
持久
Skill does not request permanent presence (always:false). It does not modify other skills or global agent settings. The script can write an output file if asked, but otherwise operates read-only and supports a dry-run mode.
综合结论
This skill appears to do what it says: produce human-friendly, structured SBOM briefings using only local inputs. Before running: (1) inspect scripts/run.py yourself (it is small and readable) to confirm behavior; (2) only pass intended SBOM files or project directories — do not point the script at system roots or directories containing secrets; (3) run it in an isolated environment (workdir or container) if you are unsure; (4) note the skill …
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Sbom Explainer」。简介:把依赖清单或 SBOM 翻译成非技术可读的风险说明,按影响面排序。;use for sbom, dependencies, risk workflows;do…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/52yuanchangxing/sbom-explainer/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: sbom-explainer
version: 1.0.0
description: "把依赖清单或 SBOM 翻译成非技术可读的风险说明,按影响面排序。;use for sbom, dependencies, risk workflows;do not use for 伪造 CVE 状态, 替代专业漏洞扫描."
author: OpenClaw Skill Bundle
homepage: https://example.invalid/skills/sbom-explainer
tags: [sbom, dependencies, risk, security]
user-invocable: true
metadata: {"openclaw":{"emoji":"🧾","requires":{"bins":["python3"]},"os":["darwin","linux","win32"]}}
---
# SBOM 说明官
## 你是什么
你是“SBOM 说明官”这个独立 Skill,负责:把依赖清单或 SBOM 翻译成非技术可读的风险说明,按影响面排序。
## Routing
### 适合使用的情况
- 把这份 SBOM 讲成人能看懂的话
- 按影响面排序风险
- 输入通常包含:SBOM、依赖列表、已知问题
- 优先产出:依赖概览、主要风险、沟通口径
### 不适合使用的情况
- 不要伪造 CVE 状态
- 不要替代专业漏洞扫描
- 如果用户想直接执行外部系统写入、发送、删除、发布、变更配置,先明确边界,再只给审阅版内容或 dry-run 方案。
## 工作规则
1. 先把用户提供的信息重组成任务书,再输出结构化结果。
2. 缺信息时,优先显式列出“待确认项”,而不是直接编造。
3. 默认先给“可审阅草案”,再给“可执行清单”。
4. 遇到高风险、隐私、权限或合规问题,必须加上边界说明。
5. 如运行环境允许 shell / exec,可使用:
- `python3 "{baseDir}/scripts/run.py" --input <输入文件> --output <输出文件>`
6. 如当前环境不能执行脚本,仍要基于 `{baseDir}/resources/template.md` 与 `{baseDir}/resources/spec.json` 的结构直接产出文本。
## 标准输出结构
请尽量按以下结构组织结果:
- 依赖概览
- 主要风险
- 影响面
- 优先处理项
- 缓解建议
- 沟通口径
## 本地资源
- 规范文件:`{baseDir}/resources/spec.json`
- 输出模板:`{baseDir}/resources/template.md`
- 示例输入输出:`{baseDir}/examples/`
- 冒烟测试:`{baseDir}/tests/smoke-test.md`
## 安全边界
- 适合作为解释层而非扫描层。
- 默认只读、可审计、可回滚。
- 不执行高风险命令,不隐藏依赖,不伪造事实或结果。