📦 Agent Security Audit — 智能体安全审计

Name: Agent Security Audit — 智能体安全审计
Rating: 1

v1.0.0

为智能体提供提示注入防御检查清单，帮助开发者识别并修复潜在安全漏洞，保障AI代理运行时输入输出的安全性与可靠性。

1· 1.8k·4 当前·4 累计

by @byron-mckeeby (Byron-McKeeby)

安全智能体测试工具开发工具

下载技能包

最后更新

2026/2/26

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

medium confidence

NULL

评估建议

This is a coherent defensive checklist with runnable examples — but do NOT copy/paste and run the scripts on a production host without review. Things to check before using: 1) inspect every sed/grep/curl invocation for correctness (some examples use sed -i and file paths that can overwrite system files), 2) avoid logging unfiltered external content to /var/log (it may contain secrets or PII), 3) run in a sandbox or container first (the examples write to /tmp and /var/log and modify nginx), 4) te...

详细分析 ▾

✓ 用途与能力

Name/description (prompt‑injection defenses / audit) matches the content: sanitizers, detectors, honeypot patterns, and nginx logging examples. The scripts rely on common UNIX tools (sed, grep, curl, head, tee) and standard paths (/tmp, /var/log) which are reasonable for an on‑host audit toolkit, though the skill metadata did not declare those binaries — this is expected for an instruction-only checklist but worth noting.

ℹ 指令范围

The SKILL.md contains concrete shell scripts that read external content (URLs, files), run pattern detection, and write results to /tmp and /var/log and shows an nginx config snippet. These are within the stated defensive purpose, but they explicitly direct file writes to system log locations and create/modify on‑disk artifacts; you should review the exact commands (sed -i, grep -v, logging) before executing to avoid accidental data leakage or privilege issues.

✓ 安装机制

No install spec or code files — instruction-only. That minimizes install risk (nothing is downloaded or written by an installer).

✓ 凭证需求

The skill requests no environment variables or credentials. The only external interaction is optional fetching of URLs via curl in the safe_fetch example; no secrets or unrelated service credentials are requested.

ℹ 持久化与权限

Skill is not always-included and allows normal autonomous invocation. The instructions show writing to persistent system locations (/var/log, nginx config) which would require appropriate privileges if you implement them — the skill itself does not request persistent installation or modify other skills.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/3

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install agent-security-audit

镜像加速npx clawhub@latest install agent-security-audit --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库