edgeone-clawscan
The first security skill to install after setting up OpenClaw — powered by Tencent Zhuque Lab. Works like an antivirus for your AI environment: audits installed skills, scans skills before installation, and performs a full OpenClaw security health check to prevent data leaks and privacy risks. Backed by Tencent Zhuque Lab A.I.G (AI-Infra-Guard). Use when the user asks to start a security health check or security scan for the current OpenClaw environment, such as `开始安全体检`, `做一次安全体检`, `开始安全扫描`, `全面安全检查`, or `检查 OpenClaw 安全`; also use when the user asks to audit a specific skill before installation, review installed skills for supply chain risk, or investigate whether a skill is safe. Do not trigger for general OpenClaw usage, project debugging, environment setup, or normal development requests. Optional cloud mode: set AIG_CLOUD_LOOKUP=off for zero outbound HTTPS; when enabled, only skill_name, source label, and OpenClaw version are sent to A.I.G (never skill bodies, chats, or workspace files).
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/aigsec/edgeone-clawscan说明:本 Skill 由腾讯朱雀实验室出品,一键全面扫描 OpenClaw 不安全配置、恶意 Skill 与漏洞。
关于云端 API:供应链与 CVE 情报需要持续更新,仅靠本地静态文件无法覆盖「安装后被篡改的技能」与「每日新增的漏洞库」;因此默认会向 A.I.G 发起最小化查询(仅 skill 名+来源标签、以及 OpenClaw 版本号),不会上传 Skill 源码、对话或工作区文件。若策略不允许任何外联,请设置AIG_CLOUD_LOOKUP=off做纯本地扫描,或把AIG_BASE_URL指向自建实例。
安装前请对照官方仓库核验来源;集市「所有者」字段可能与本文author不一致,不代表密码学意义上的发布者证明。
edgeone-clawscan
OpenClaw security scanning powered by AI-Infra-Guard ( https://github.com/Tencent/AI-Infra-Guard ).
Configuration
AIG_BASE_URL (optional) — base URL for the AI-Infra-Guard API.
Defaults to https://matrix.tencent.com/clawscan (the public Tencent endpoint
declared in the external_requests metadata above).
Privacy / air-gapped environments: to avoid sending skill names, source
labels, or version strings to the public Tencent host, use one of: (1)
AIG_BASE_URL pointing at a self-hosted AI-Infra-Guard you operate, or (2)
AIG_CLOUD_LOOKUP=off so no A.I.G HTTPS request runs (fully local Step 2
and Step 3). Curl uses
${AIG_BASE_URL:-https://matrix.tencent.com/clawscan} only when cloud lookup
is enabled.
export AIG_BASE_URL=https://your-self-hosted-aig.example.com/clawscan
export AIG_CLOUD_LOOKUP=off
Security Declaration
This section is an upfront disclosure of every network action and live probe this skill performs. Auditors and end users should read this section before installation or execution against production data.
Pre-run Safety Checklist
| # | Check | Action |
|---|---|---|
| 1 | Publisher vs registry | author here may not match marketplace "owner" text — see YAML provenance.registry_metadata_caveat. Verify against official_repo before trusting cloud verdicts. |
| 2 | Binary on PATH | which openclaw must resolve to the intended OpenClaw build. |
| 3 | Outbound policy | Default sends minimal metadata to Tencent A.I.G (tables below). For zero outbound: AIG_CLOUD_LOOKUP=off. For your own infra only: self-hosted AIG_BASE_URL. |
| 4 | Live probe | --deep hits the local Gateway config; avoid production until exposure is reviewed. |
Why the A.I.G API Is Necessary (technical)
The API is not optional telemetry for analytics. It supplies two signals that an offline skill cannot keep current or complete on its own:
| Need | Local-only gap | API role |
|---|---|---|
| Supply-chain risk | Disk code and registry metadata can change after install; no bundled file can mirror a global, hourly-updated malicious-skill list. | Query by skill_name + source → verdict from maintained threat intel (analogous to cloud AV signatures). |
| CVE/GHSA currency | Embedding a full advisory DB in SKILL.md would be huge and stale on day one. | Query by fixed OpenClaw + detected version → advisories for that build. |
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-aigsec-edgeone-clawscan": {
"enabled": true,
"auto_update": true
}
}
}Tags
Related Skills
doctorbot-ci-validator
Stop failing in production. Validate your GitHub Actions, GitLab CI & Keep workflows offline with surgical precision. Born from Keep bounty research, perfected for agents.
arc-shield
Output sanitization for agent responses - prevents accidental secret leaks
AURA Security Scanner
Scan AI agent skills for malware, credential theft, prompt injection, and dangerous permissions before installing them
sbom-explainer
把依赖清单或 SBOM 翻译成非技术可读的风险说明,按影响面排序。;use for sbom, dependencies, risk workflows;do not use for 伪造 CVE 状态, 替代专业漏洞扫描.
securityvitals
Security vitals checker for OpenClaw. Scans your installation, scores your setup, and shows you exactly what to fix. First scan in seconds.