技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 1 · 1.3k · 1 current installs · 1 all-time installs
⭐ 1
安装量(当前) 1
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:abyousef739/clawskillshield
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's code mostly matches its stated purpose (a local static scanner), but there are important mismatches between the runtime API and the documentation plus a behavior (auto-quarantine/move) that could be dangerous if agents invoke it autonomously without safeguards.
目的
Name/SKILL.md/README describe a local static scanner and included Python modules implement that scanner. The requested resources (no env vars, no external binaries) are proportional. Minor oddity: the analyzer flags 'risky imports' such as os/open but the scanner itself uses os and open to perform filesystem operations; this is explainable (the scanner needs filesystem access) but should be documented to avoid confusion.
说明范围
SKILL.md and README present a Python API example that does not match the implementation. Examples show: 'threats = scan_local(...)' and then 'if risk_score < 4: quarantine(...)'. In the actual code, scan_local(path) returns a formatted string report, not a threats list or a numeric risk score. There is no exported function that directly returns a numeric risk score to callers. Also the CLI/API allows an agent to call quarantine(path), which mo…
安装机制
No install spec was provided by the registry (instruction-only) but the package contains a pyproject and console entrypoint so it can be installed with pip locally. There are no external downloads, no network calls in code, and no extract-from-URL behavior — low install risk.
证书
No environment variables, credentials, or config paths are requested. The only filesystem write is the quarantine directory under the user's home (~/.openclaw/quarantine) which is consistent with a quarantine feature.
持久
always is false (no forced inclusion). The skill can be invoked autonomously (default). Because it implements quarantine by moving directories, an autonomous agent using the provided example could move user files. This is not necessarily malicious, but it is a privileged destructive action that should be gated behind safe checks and correct API behavior (see mismatch noted above).
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「ClawSkillShield」。简介:Locally scans OpenClaw/ClawHub skills for security risks like hardcoded secrets…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/abyousef739/clawskillshield/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# ClawSkillShield 🛡️
**Local-first security scanner for OpenClaw/ClawHub skills.**
## What It Does
- **Static analysis** for security risks and malware patterns
- **Detects**:
- Hardcoded secrets (API keys, credentials, private keys)
- Risky imports (`os`, `subprocess`, `socket`, `ctypes`)
- Dangerous calls (`eval()`, `exec()`, `open()`)
- Obfuscation (base64 blobs, suspicious encoding)
- Hardcoded IPs
- **Risk scoring** (0–10) + detailed threat reports
- **Quarantine** high-risk skills automatically
## Dual-Use Design
- **CLI for humans**: Quick safety checks before installing skills
- **Agent API**: Importable functions for autonomous agents/Moltbots to proactively scan and quarantine risky skills (essential post-ClawHavoc)
## Quick Start
### CLI (Humans)
```bash
pip install -e .
clawskillshield scan-local /path/to/skill
clawskillshield quarantine /path/to/skill
```
### Python API (Agents)
```python
from clawskillshield import scan_local, quarantine
threats = scan_local("/path/to/skill")
if risk_score < 4: # HIGH RISK
quarantine("/path/to/skill")
```
## Zero Dependencies
Pure Python. No network calls. Runs entirely locally.
## Why This Matters
ClawHavoc demonstrated how easily malicious skills can slip into the ecosystem. ClawSkillShield provides a trusted, open-source defense layer—audit the code, run offline, stay safe.
---
**GitHub**: https://github.com/AbYousef739/clawskillshield
**License**: MIT
**Author**: Ab Yousef
**Contact**: contact@clawskillshield.com