📦 Audit — 代码审计

v1.0.0

为合成经济而生的终极验证器，可自主审查代码、合约及资金流动，在无限生成的时代守护真相。

0· 654·13 当前·16 累计

by @duclawbot (Duclawbot)

安全代码生成测试工具自动化开发工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

NULL

评估建议

This skill reads like a high-level manifesto rather than an implementable tool. Before installing or enabling it: ask the author for concrete runtime details (what APIs/nodes it needs, what binaries or libraries it expects, how proofs are signed and where private keys are stored), demand provenance or source code (who wrote it, where is the repo), and never supply private keys or system credentials until you understand exactly how they will be used and stored. Because the SKILL.md is intentional...

详细分析 ▾

⚠ 用途与能力

The name/description claim institutional-grade audits (on-chain/off-chain reconciliation, signing proofs, smart-contract security), but the skill declares no binaries, no environment variables, no config paths, and no install steps. Realizing these capabilities would normally require network access, blockchain node/API keys, signing keys, and specialized tooling — none of which are specified.

⚠ 指令范围

SKILL.md is conceptual: it defines audit domains and three high-level protocol steps (evidence collection, discrepancy analysis, certification) but contains no concrete runtime instructions, endpoints, or limits. The language is broad and open-ended, which gives an agent wide discretion to access data sources or request credentials without constraints.

✓ 安装机制

No install spec and no code files are present, which minimizes immediate disk/execution risk. This is consistent with an instruction-only skill, but also means there is nothing to verify about implementation or provenance.

⚠ 凭证需求

The described functionality implies the need for sensitive credentials (blockchain keys, API tokens, private signing keys) and access to external services, yet the skill requests none. That mismatch is suspicious: either the skill is incomplete/documentation-only, or it expects the agent to acquire or ask for secrets at runtime without declaring them.

ℹ 持久化与权限

The skill is not marked 'always' and uses the platform default for autonomous invocation. That alone is not a problem, but combined with the vague, high-privilege-sounding description it means an agent could be instructed to perform broad actions if allowed — ask the author how autonomous runs should be constrained.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/8

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install audit

镜像加速npx clawhub@latest install audit --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库