by 安全扫描
OpenClaw
安全
high confidenceThe skill's code and instructions are consistent with a read-only, file-inspection deployment audit; nothing requests unrelated credentials or installs unexpected components, though there are a few small scope/metadata mismatches to be aware of.
评估建议
This skill appears to do what it claims: a read-only, file-based audit. Before installing/using it, ensure you have node available (the SKILL.md runs the script with 'node' but the registry metadata doesn't declare node), read the script yourself if you're concerned, and avoid pointing the scanner at sensitive system files or absolute paths you don't want inspected (don't pass --env-file or --dockerfile pointing to secrets unless you intend to). Run it locally or in an isolated environment first...详细分析 ▾
✓ 用途与能力
Name/description match the included script. The script inspects repository/project files (env, Dockerfile, compose, source files) and reports findings; this aligns with a portable read-only audit.
ℹ 指令范围
SKILL.md instructs running the script via node (node command shown), but the registry metadata lists no required binary — declaring 'node' as a required binary would be more accurate. The script collects some host metadata (os.hostname()) which is not mentioned in the prose; it also accepts explicit --env-file and --dockerfile paths (which can point anywhere the invoking user has read access). The script asserts it does not execute external binaries and the code shown contains only filesystem inspection (no child_process or network calls).
✓ 安装机制
No install spec is provided and there are no downloads or extract operations — the skill is delivered as files (script + SKILL.md). This is low-risk compared with remote installers.
ℹ 凭证需求
The skill does not request any environment variables or credentials. It does read files discovered under the target directory and will also read any explicit file paths passed via --env-file/--dockerfile, which is reasonable for an auditor but means callers should not point it at sensitive files in shared hosts. The script records hostname and platform in its runtime metadata (minor identifying info).
✓ 持久化与权限
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify agent/system configuration; execution is on-demand and local.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/22
- Now performs security audits using file inspection only; no external binaries or shell commands are executed. - Audits explicit port exposure hints from config and compose files instead of actively inspecting listening ports. - Adjusted `--allow-port` to suppress expected configured/published ports. - Git exposure check now flags directory exposure and missing `.gitignore`, without using git commands. - Documentation updated to clarify scope and file-inspection-only nature of all checks.
● 无害
安装命令 点击复制
官方npx clawhub@latest install portable-deployment-audit
镜像加速npx clawhub@latest install portable-deployment-audit --registry https://cn.clawhub-mirror.com
技能文档
Run a read-only security review against a chosen directory.
Rules
- Treat this skill as read-only.
- Do not use it to modify files automatically.
- Pass
--targetwhen auditing something other than the current directory. - Use
--format jsonfor machine-readable output; stdout will contain pure JSON only. - Use
--strictwhen you want a non-zero exit on HIGH findings in CI. - Use
--exclude-dirto skip bulky or irrelevant directories in mixed repos. - Use
--allow-portto suppress expected configured/published ports in local or staged environments. - This version uses file inspection only and does not invoke external binaries such as
git,ss, ornetstat. - Expect limited permission analysis on Windows; Unix mode-bit checks only run on Unix-like systems.
Commands
Quick audit of current directory
node skills/portable-deployment-audit/scripts/audit.cjs --target .
Audit another directory
node skills/portable-deployment-audit/scripts/audit.cjs --target /path/to/project
JSON report
node skills/portable-deployment-audit/scripts/audit.cjs --target . --format json > audit-report.json
CI-style run
node skills/portable-deployment-audit/scripts/audit.cjs --target . --format json --strict
Ignore expected noise
node skills/portable-deployment-audit/scripts/audit.cjs --target . --exclude-dir vendor,tmp --allow-port 3000,8080
Specific checks only
node skills/portable-deployment-audit/scripts/audit.cjs --target . --check credentials,configs
node skills/portable-deployment-audit/scripts/audit.cjs --target . --ports
node skills/portable-deployment-audit/scripts/audit.cjs --target . --docker
Checks
credentials: scan env/config/code files for likely secrets and hardcoded credentialsports: inspect explicit port exposure hints from config and compose files, respect--allow-port, and warn more strongly on commonly exposed service portsconfigs: flag risky debug logging, wildcard CORS, and obvious placeholder/default secretspermissions: inspect Unix mode bits on sensitive files; Windows reports limitations instead of guessingdocker: inspect Dockerfile and compose files for root/privileged runtime, host networking, published ports, missingHEALTHCHECK, and floating tagsgit: flag repository exposure indicators such as exposed.gitdirectories and missing.gitignore
Notes
--fixis intentionally disabled in this version.- Findings are advisory and should be reviewed before making changes.
- Text output includes short remediation recommendations derived from the findings.
- The script performs file inspection only; no shell commands or external binaries are executed.
- For automation, prefer
--format jsonand parse the structured report.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制