minduploadedcrab-skillguard
OpenClaw 技能的安全扫描器。在安装前扫描技能是否存在恶意软件、凭证盗窃、数据泄露、提示注入和权限越权。运行: python3 script/skillguard.py scan <skill-directory>
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install totalclaw:totalclaw~minduploadedcrab-minduploadedcrab-skillguardcURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/totalclaw%3Atotalclaw~minduploadedcrab-minduploadedcrab-skillguard/file -o minduploadedcrab-minduploadedcrab-skillguard.md## 概述(中文) OpenClaw 技能的安全扫描器。在安装前扫描技能是否存在恶意软件、凭证盗窃、数据泄露、提示注入和权限越权。运行: python3 script/skillguard.py scan <skill-directory> ## 原文 # SkillGuard — Security Scanner for OpenClaw Skills Scans OpenClaw skills for security threats before installation. Catches agent-specific attacks that generic antivirus misses. ## Usage ```bash # Scan a skill directory python3 scripts/skillguard.py scan ~/.openclaw/workspace/skills/<skill-name> # Scan with JSON output python3 scripts/skillguard.py scan ~/.openclaw/workspace/skills/<skill-name> --json # Scan all installed skills python3 scripts/skillguard.py scan-all # Quick summary of all skills python3 scripts/skillguard.py audit ``` ## What It Detects 1. **Credential Access** — reads of config files, env vars, wallet files, API keys 2. **Network Exfiltration** — outbound HTTP calls, encoded payloads, suspicious domains 3. **File System Abuse** — path traversal, writes outside skill directory, hidden files 4. **Prompt Injection** — SKILL.md content that manipulates agent behavior 5. **Dependency Risks** — suspicious npm post-install scripts, known bad packages 6. **Obfuscation** — extremely long lines, hex/unicode escape sequences 7. **Symlink Attacks** — symlinks escaping the skill directory to access sensitive files 8. **Config File Secrets** — hardcoded credentials in .json, .env, .yaml files ## Output Each scan produces: - **Risk Score**: 0-100 (0 = clean, 100 = critical threat) - **Verdict**: PASS / WARN / FAIL - **Findings**: Detailed list of issues with severity and evidence