skill-security-audit
审计 skill 的安全风险。扫描凭据泄露、危险命令、网络外传、文件越界等问题。用于:(1) 安装新 skill 前的安全检查 (2) 定期审计现有 skills (3) 发布 skill 前的自检。触发词:skill 安全、审计、security audit、检查 skill。
Why use this skill?
Secure your OpenClaw agent skills with automated security auditing. Detect credential leaks, dangerous shell commands, and risky file access before execution.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/xiwan/jiajia-security-auditWhat This Skill Does
The skill-security-audit tool is a mission-critical utility for the OpenClaw ecosystem, designed to inspect, scan, and validate agent skills before they are executed or shared. In an environment where AI agents can interact with local files, environment variables, and network resources, this skill acts as a proactive security layer. It performs static analysis on skill directories to detect potential threats such as hardcoded API credentials (OpenAI, AWS, GitHub), execution of high-risk shell commands (e.g., rm -rf, sudo), attempts to access sensitive system paths (e.g., ~/.ssh), and unauthorized network communication. By integrating security into the workflow, this skill ensures that your agent infrastructure remains resilient against malicious or poorly written code.
Installation
To integrate this security suite into your environment, use the OpenClaw hub CLI:
clawhub install openclaw/skills/skills/xiwan/jiajia-security-audit
Once installed, you can configure your environment for better accessibility by adding aliases to your shell configuration file (e.g., ~/.bashrc or ~/.zshrc):
alias skill-audit='bash ~/clawd/skills/skill-security-audit/scripts/audit.sh'
This allows you to initiate scans with a single command, streamlining the security pipeline for your development lifecycle.
Use Cases
- Pre-Installation Validation: Automatically scan any third-party skill from the marketplace before letting it run on your system.
- Continuous Deployment: Integrate the
safe-publish.shscript into your CI/CD pipeline to ensure that no skill with a CRITICAL vulnerability is ever released to your team or the public. - Regulatory Compliance: Perform periodic audits of existing skill libraries to detect "drift" or unauthorized changes that may have introduced security regressions.
- Vulnerability Patching: Use the detailed scan output to identify and remediate outdated dependencies or insecure configuration patterns in your custom-built skills.
Example Prompts
- "Perform a security audit on the ./skills/my-new-plugin folder to ensure there are no sensitive keys exposed before I use it."
- "Run a full system security scan on all installed skills and report any high-risk shell command usage."
- "Check the current skill directory for security vulnerabilities and output the results in JSON format so I can process them in my logging system."
Tips & Limitations
- False Positives: If the auditor flags legitimate code (e.g., test files or mock data), use the
# security-audit: ignore-next-linedirective to suppress warnings. - Environment Scope: This tool is best used as a gatekeeper; it cannot replace runtime behavioral monitoring or sandboxing. Always run skills with the principle of least privilege.
- Strictness: When in doubt, run with the
--include-docsflag to ensure that credentials hidden in documentation or comment files are also swept. - 不可绕过: Note that
safe-publish.shenforces a zero-tolerance policy for CRITICAL vulnerabilities, ensuring the integrity of the ecosystem.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-xiwan-jiajia-security-audit": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution
Related Skills
smtp-send
Send emails via SMTP or Resend API with support for plain text, HTML, and attachments. Use when the user asks to send an email, email someone, or compose and send a message. Supports single recipients and can include file attachments. Works with Gmail, Outlook, Yahoo, QQ Mail, 163 Mail, Resend, and any SMTP server.
Agent Linguo
Skill by xiwan
a2a-lite
Agent-to-Agent 轻量通信协议。仿 Google A2A 设计,但适配 Clawdbot/OpenClaw 生态。用于:(1) Agent 能力发现 (2) 跨 agent 任务协作 (3) 结构化的 agent 间消息交换。触发词:a2a、agent协议、agent通信、agent card、能力发现。
cross-agent-collab
跨 Agent 协作指南。与其他 AI Agent(如 mexico)交流时的规范和注意事项。用于:多 agent 协作、跨系统通信、共享文件、联合任务。触发词:mexico、agent 协作、跨系统、一起做。
content-distributor
多平台内容分发工具。用于在知乎、豆瓣、微博等中文平台发布内容。支持:(1) 发布帖子/文章 (2) 管理多平台账号 (3) 批量分发内容 (4) 追踪发布状态。触发词:发帖、发布、分发、知乎、豆瓣、微博、推广。