📦 skll-scan — 实用工具

Name: skll-scan — 实用工具
Rating: 1

v1.0.0

安全性 scanning 工具用于 OpenClaw Skills. Detects malicious code patterns, extracts domains, 和 checks threat intelligence APIs. Use when: installing new...

1· 328·1 当前·1 累计

by @niuqun2003·MIT

安全 API工具开发工具 AI模型访问代码生成

下载技能包

License

MIT

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

high confidence

The skill's code, documentation, and runtime instructions are coherent with its stated purpose as a local static security scanner for OpenClaw Skills and do not request disproportionate privileges or secrets.

评估建议

This skill appears to do what it says: local static scanning and domain checks. Before installing or using it: (1) review the script source yourself (it ships with code) to ensure it meets your policies; (2) avoid hardcoding API keys in the script—use a protected config (~/.skill-scan/config.json) with tight file permissions; (3) be careful enabling external threat-intel lookups for internal/private domains (you may leak sensitive hostnames to external services); (4) the cron example edits /etc/...

详细分析 ▾

✓ 用途与能力

The name/description, SKILL.md, and scripts/skill-scan.py are aligned: the tool performs static pattern scanning, domain extraction, and (optional) threat-intel checks. There are no unexpected required binaries, environment variables, or unrelated capabilities requested.

ℹ 指令范围

SKILL.md instructs running the included Python scanner against skill directories and provides CI and cron examples. This stays within the scanner's scope. Note: the cron example writes to /etc/cron.d and /var/log (system-level locations) which typically require elevated privileges; also the docs encourage adding API keys to the script/config to enable external threat-intel lookups, which would cause domain data to be sent to third-party APIs if enabled.

✓ 安装机制

No install spec is provided (instruction-only) and the shipped script is run by the user; this is the lower-risk option. No remote downloads or archive extraction are used by the skill itself.

ℹ 凭证需求

The skill declares no required env vars or secrets. The documentation describes storing API keys in a config or inserting them into the script — acceptable for threat-intel integrations but carries the usual caution: do not hardcode secrets, prefer a secured config, and be mindful of sending internal/private domains to external services.

✓ 持久化与权限

always is false and the skill is user-invocable; it does not request persistent 'always' inclusion or modify other skills. The example for periodic auditing (cron) is user-controlled and not automatic.

⚠ scripts/skill-scan.py:52

File read combined with network send (possible exfiltration).

安全有层次，运行前请审查代码。

License

MIT

查看条款 ↗

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install skll-scan

镜像加速npx clawhub@latest install skll-scan --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

数据来源：ClawHub ↗ · 中文优化：龙虾技能库