my-test-skill
Intelligent code security scanner with hybrid local-cloud detection. Fingerprints packages, runs static behavioral analysis, and consults cloud threat intelligence (enabled by default, can be disabled) for confidence scoring.
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install skilldb:jinxiaotian1~my-test-skillcURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/skilldb%3Ajinxiaotian1~my-test-skill/file -o my-test-skill.mdGit 仓库获取源码
git clone https://github.com/openclaw/skills/commit/0dfcca82c95538a54aad52e068fe879e2196ee9e# yidun-skill-sec ⚡
Hybrid local-cloud security scanner for third-party code packages. Scans fast, scores precisely, fails safely.
## Security Disclosure
This skill uploads **non-sensitive metadata** (file hashes, behavior tag names, and extracted code snippets that triggered detections) to a Yidun threat intelligence endpoint for analysis. The following data is explicitly **not uploaded**: full source code, user credentials, environment variables, or any personal data.
The cloud endpoint (`as.dun.163.com`) is operated by **NetEase Yidun**, a licensed cybersecurity service provider. Cloud analysis is enabled by default and strongly recommended. It can be explicitly disabled by the user if network access is restricted or not desired.
## What It Does
YidunClawSec fingerprints a code package, runs behavioral analysis locally, and consults cloud threat intelligence to produce a quantified safety score. It catches malware, data leaks, privilege abuse, and obfuscation — before anything gets installed.
## How It Works — Four Phases
```
┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ ┌────────────────┐
│ SOURCE │────▶│ FINGERPRINT │────▶│ BEHAVIORAL SCAN │────▶│ CLOUD INTEL │
│ VETTING │ │ hash + meta │ │ static analysis │ │ (default: on) │
└──────────────┘ └──────────────┘ └──────────────────┘ └────────────────┘
│ │ │ │
└────────────────────┴─────────────────────┴────────────────────────┘
▼
┌───────────────────┐
│ THREAT VERDICT │
│ score + labels │
└───────────────────┘
```
---
## Phase 0: Source Vetting
Before downloading or scanning any code, YidunClawSec evaluates **where the package comes from**. A package from an untrusted or unknown source carries inherent risk regardless of its content.
### 0.1 Source Tags
| Tag | What It Catches | Severity Boost |
|-----|----------------|----------------|
| `SRC_UNKNOWN_REGISTRY` | Package originates from an unrecognized or unofficial registry | +20 |
| `SRC_BLACKLISTED_DOMAIN` | Install URL or declared homepage matches a known malicious domain/IP | +40 |
| `SRC_UNTRUSTED_AUTHOR` | Publisher account is new (<30 days), unverified, or has prior malicious packages | +15 |
> **Hard Rule**: Any `SRC_BLACKLISTED_DOMAIN` hit forces the verdict to **CRITICAL** immediately — scanning halts and the package is blocked without further analysis.
### 0.2 Registry Allowlist
The following registries are considered trusted by default:
| Registry | Protocol |
|----------|---------|
| ClawHub (`clawhub.com`) | HTTPS + signed manifest |
| npm (`registry.npmjs.org`) | HTTPS |
| PyPI (`pypi.org`) | HTTPS |
| GitHub Releases (`github.com/*/releases`) | HTTPS |
| Custom allowlist via `YIDUN_SKILL_SEC_TRUSTED_REGISTRIES` | Configurable (registry only) |
Packages installed directly from a raw URL, a private server, or an unknown host are tagged `SRC_UNKNOWN_REGISTRY` unless the host is on the allowlist.
### 0.3 Author / Publisher Trust
For supported registries (npm, PyPI, ClawHub), the scanner checks the publishing account's trust profile:
| Signal | Penalizes When |
|--------|---------------|
| Account age | < 30 days old |
| Verification status | Unverified / no 2FA |
| Prior packages | Any previously removed for malware |
| Ownership match | Author field in package metadata ≠ registry profile name |
```bash
# Source vetting output example
SOURCE VETTING
Registry: clawhub.com → ✅ trusted
Domain: clawhub.com → ✅ not blacklisted
Author: some-author (verified, age: 2y 3m) → ✅ trusted
Source score: 100/100 Tags: none
```
### 0.4 Source Metadata in Cloud Request
Source vetting results are included in the cloud request as `source_meta`:
```json
"source_meta": {
"registry": "clawhub.com",
"install_url": "https://clawhub.com/packages/data-processor-1.2.3.tar.gz",
"author_verified": true,
"author_account_age_days": 823,
"prior_removals": 0,
"tags": []
}
```
---
## Phase 1: Fingerprint
Before anything else, build a complete inventory of the package.
**Actions performed:**
1. List every file in the package
2. Compute `MD5` hash per file via `openssl dgst -md5`
3. Derive a composite package fingerprint (sorted hash of all file hashes)
4. Extract metadata: name, version, author, declared dependencies
**Output:** A fingerprint manifest used for cache lookups and audit trail.
```bash
# Example: compute file hashes
find /tmp/pkg -type f -exec openssl dgst -md5 {} \;
# Example: composite fingerprint
find /tmp/pkg -type f -exec openssl dgst -md5 {} \; | sort | openssl dgst -md5
```
---
## Phase 2: Behavioral Scan
A static analysis pass that classifies every file by its **observable behaviors**. No code is executed — only pattern matching and structural inspection.
### 2.1 Behavior Categories
Each detected behavior is tagged into one of these categories:
| Tag | What It Catches | Severity Boost |
|-----|----------------|----------------|
| `NET_OUTBOUND` | HTTP/HTTPS calls, socket connections, DNS lookups | +15 |
| `NET_IP_RAW` | Connections to raw IPs instead of hostnames | +25 |
| `FS_READ_SENSITIVE` | Reads from `~/.ssh`, `~/.gnupg`, `~/.aws`, `~/.config/gh` | +30 |
| `FS_WRITE_SYSTEM` | Writes outside the project workspace | +20 |
| `EXEC_DYNAMIC` | `eval()`, `exec()`, `Function()`, backtick interpolation | +25 |
| `EXEC_SHELL` | Spawns shell subprocesses | +10 |
| `ENCODE_DECODE` | Base64/hex encode-decode chains (potential obfuscation) | +20 |
| `CRED_HARVEST` | Reads tokens, passwords, API keys from env or files | +35 |
| `PRIV_ESCALATION` | `sudo`, `chmod 777`, `setuid` patterns | +30 |
| `OBFUSCATED` | Minified/packed code, non-readable variable names | +15 |
| `AGENT_MEMORY` | Accesses agent memory files (identity, preferences, context) | +25 |
| `PKG_INSTALL` | Installs unlisted system packages or dependencies | +20 |
| `COOKIE_SESSION` | Reads browser cookies, localStorage, session tokens | +25 |
| `BYPASS_SAFETY` | Uses flags that skip security checks: `--no-verify`, `--force`, `--allow-root`, `--skip-ssl` | +20 |
| `DESTRUCTIVE_OP` | Irreversible destructive operations: `rm -rf`, `git reset --hard`, `DROP TABLE`, `mkfs`, `dd if=` | +25 |
| `PROMPT_INJECT` | Embeds natural language directives targeting the AI agent, attempting to override its rules, bypass constraints, or assume an unrestricted persona | +35 |
### 2.2 How Severity Scores Work
- Start at **100** (fully safe)
- Each behavior tag **subtracts** its severity boost from the score
- Multiple tags stack, but the score floors at **0**
- A single `CRED_HARVEST` or `PRIV_ESCALATION` tag triggers an **immediate escalation** — the package is flagged regardless of total score
### 2.3 Pattern Matching Rules
The scanner matches against concrete code patterns:
```
NET_OUTBOUND:
curl|wget|fetch|http\.get|requests\.(get|post)|axios|urllib
+ destination is NOT localhost/127.0.0.1/::1
NET_IP_RAW:
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b in URL/connection context
FS_READ_SENSITIVE:
cat|read|open.*\.(ssh|gnupg|aws|config/gh|kube)
EXEC_DYNAMIC:
eval\s*\(|exec\s*\(|new\s+Function\s*\(|`.*\$\(
ENCODE_DECODE:
base64\s+(encode|decode|-d)|atob\(|btoa\(|Buffer\.from\(.*base64
CRED_HARVEST:
(API_KEY|SECRET|TOKEN|PASSWORD|PRIVATE_KEY).*=|
cat.*id_rsa|cat.*\.env|keyring\.get
PRIV_ESCALATION:
sudo\s|chmod\s+[0-7]*7|chown\s+root|setuid
AGENT_MEMORY:
MEMORY\.md|USER\.md|SOUL\.md|IDENTITY\.md|\.claude|\.claw/memory
OBFUSCATED:
single-line file >500 chars with no whitespace|
variable names all <3 chars in >20 occurrences
BYPASS_SAFETY:
--no-verify|--force|--allow-root|--skip-ssl|--insecure|--no-check-certificate|
GIT_SSL_NO_VERIFY|NODE_TLS_REJECT_UNAUTHORIZE