Agent Skills Tools — 技能工具

v0.1.0

[自动翻译] Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized...

0· 1.3k·5 当前·5 累计

by @rongself·MIT-0

AI模型访问

使用场景：使用Agent Skills Tools — 技能工具进行AI模型访问使用Agent Skills Tools — 技能工具

下载技能包

License

MIT-0

最后更新

2026/3/1

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

medium confidence

The skill is coherent with its stated purpose (a local, grep-based security auditor) and asks for no credentials or installs; the code is simple and does local checks only — but the author/source are unknown and the checks are fairly heuristic, so confidence is moderate.

评估建议

This skill appears to do what it claims: a local, grep-based audit you run against a skill package. Before installing/using it: 1) review the script yourself (it's short and included); 2) run it against a copy of the package (don't point it at system root or sensitive directories unless you mean to); 3) expect heuristic results — it may miss obfuscated secrets or flag benign code; 4) the tool does not transmit data externally, but any agent invoking the tool could collect and send the report, so...

详细分析 ▾

✓ 用途与能力

Name/description match the actual behavior: the included shell script scans a target skill directory for hardcoded keys, references to sensitive paths, network-call patterns, environment-variable usage, credentials files, and simple Git-history hints. None of the script's requirements (no env vars, no external installs) are inconsistent with an auditing tool.

ℹ 指令范围

SKILL.md instructs running the provided script against a target directory. The script only inspects files under the supplied path and (if present) the repository history via git -C; it does not read or exfiltrate user home files by itself. Note: checks are purely local and pattern-based (grep); they may produce false positives/negatives and rely on simple patterns like 'api_key' and strings such as 'curl' or '.ssh'.

✓ 安装机制

No install spec — instruction-only with a bundled shell script. This is low-risk: nothing is downloaded or written to disk beyond the contained files.

✓ 凭证需求

The skill requests no environment variables or credentials, which is appropriate for a static auditing tool. The script does not access environment variables beyond local git execution.

✓ 持久化与权限

always is false; the skill does not request persistent presence or modify other skill configurations. Autonomous invocation is allowed by platform default but the skill itself has no persistence/privilege escalation behavior.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv0.1.02026/2/8

Initial release: skill-security-audit tool for Agent Skills ecosystem

● 无害

安装命令

点击复制

官方npx clawhub@latest install agent-skills-tools

镜像加速npx clawhub@latest install agent-skills-tools --registry https://cn.longxiaskill.com 镜像可用

本土化适配说明

Agent Skills Tools — 技能工具安装说明：安装命令：npx clawhub@latest install agent-skills-tools 支持国内镜像加速，使用 --registry https://cn.longxiaskill.com 参数可加速下载

需要定制？告诉我你的需求 →

技能文档

Security and validation tools for the Agent Skills ecosystem.

Overview

This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.

Tools

1. Security Audit Tool (skill-security-audit.sh)

Scans skill packages for common security issues:

Checks:

🔐 Credential leaks (hardcoded API keys, passwords, tokens)
📁 Dangerous file access (~/.ssh, ~/.aws, ~/.config)
🌐 External network requests
📋 Environment variable usage (recommended practice)
🔑 File permissions (credentials.json)
📜 Git history for leaked secrets

Usage:

./skill-security-audit.sh path/to/skill

Example output:

🔒 技能安全审计报告：path/to/skill
==========================================
📋 检查1: 凭据泄露 (API key, password, secret, token)
----------------------------------------
✅ 未发现凭据泄露
📋 检查2: 危险的文件操作 (~/.ssh, ~/.aws, ~/.config)
----------------------------------------
✅ 未发现危险的文件访问
[... more checks ...]==========================================
🎯 安全审计完成

Background

eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.

These tools help catch such vulnerabilities before they cause damage.

Best Practices

Never hardcode credentials

- ❌ API_KEY="sk_live_abc123..." - ✅ Read from environment variables or config files

Use environment variables

   export MOLTBOOK_API_KEY="sk_live_..."

   import os
   api_key = os.environ.get('MOLTBOOK_API_KEY')

Check Git history

   git log -S 'api_key'
   git-secrets --scan-history

Add sensitive files to .gitignore

   credentials.json
   *.key
   .env

License

MIT

License

运行时依赖

版本

安装命令

本土化适配说明

技能文档

Overview

Tools

1. Security Audit Tool (skill-security-audit.sh)

Background

Best Practices

License

相关技能推荐