📦 Aegis Audit — 深度安全审计
v0.1.10对 AI 智能体技能与 MCP 工具进行深度行为安全审计:结合 AST、Semgrep 与 15 套专用扫描器做确定性静态分析,生成加密锁定文件,可选 LLM 意图分析,输出 CWE 映射、OWASP 标签、行号引用的完整安全报告,适用于安装、评审或授权前的安全把关。
0· 1.3k·4 当前·4 累计
by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says: a defensive, deterministic scanner that runs locally by default and only sends code to third‑party LLMs if you explicitly configure an API key. Before installing: verify the PyPI/GitHub publisher and pin the package version; inspect the package contents if possible; run scans with --no-llm when scanning sensitive code; do not set API keys unless you accept sending scanned code to that provider; review ~/.aegis/config.yaml after setup; consider running initi...详细分析 ▾
✓ 用途与能力
Name/description (deep security audit for skills/MCP tools) match what is requested and documented: it requires an 'aegis' CLI binary and a local config path (~/.aegis/config.yaml). The declared binary and config are proportionate to an auditing tool.
✓ 指令范围
SKILL.md instructs the agent to install/run the aegis CLI, scan directories, generate/verify lockfiles, and optionally run an MCP stdio server. It explicitly defaults to offline/from-disk scanning and documents that LLM analysis is opt-in and only occurs when API keys are configured. No instructions ask the agent to read unrelated system secrets or exfiltrate data by default.
ℹ 安装机制
Install is via pip or 'uv tool install aegis-audit' (PyPI package). This is expected for a Python CLI but carries normal supply-chain risk: you should verify the PyPI publisher, pin versions, and inspect package contents before installing. The install does create an 'aegis' binary as declared.
✓ 凭证需求
No required environment variables are declared. The SKILL.md documents optional API keys (GEMINI_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY) for optional LLM features — these are justified for the described optional LLM analysis and are disabled by default. The only required config path (~/.aegis/config.yaml) is reasonable for storing configuration and optional keys.
✓ 持久化与权限
The skill is not marked 'always: true' and does not request system-wide privileges. It can run an MCP stdio server (mcp-serve) which is normal for an MCP tool. There is no instruction to modify other skills' configurations or global agent settings beyond adding an MCP entry pointing to its own command.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.102026/2/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install aegis-audit
镜像加速npx clawhub@latest install aegis-audit --registry https://cn.longxiaskill.com