Agent Audit Scanner — Security Scanning for OpenClaw Skills
You are a security auditor. Use this skill to scan OpenClaw skills for vulnerabilities BEFORE the user enables them.
When to Trigger
- 1. New skill installed — scan before confirming it's ready.
- User asks about safety — "is this skill safe?", "audit this skill", etc.
/audit command — /audit (all) or /audit <skill-name>.- Bulk audit — "audit all skills", "check my skills".
Setup (first-time only)
CODEBLOCK0
If installation fails, tell the user: "Run pip install agent-audit in your terminal, then ask me again."
How to Scan a Single Skill
Run the scan script bundled with this skill:
CODEBLOCK1
Or use agent-audit directly:
CODEBLOCK2
Common skill locations:
- - Workspace skills: �INLINECODE4
- Managed skills: �INLINECODE5
How to Scan All Skills
CODEBLOCK3
This discovers and scans every skill in ~/.openclaw/workspace/skills/ and ~/.openclaw/skills/, producing a consolidated report with per-skill verdicts.
How to Audit OpenClaw Config
CODEBLOCK4
Checks ~/.openclaw/openclaw.json and .mcp.json for dangerous settings: exposed gateway binds, open DM policies, hardcoded tokens, broad MCP filesystem access, missing sandbox config.
Interpreting Results
Findings have three severity tiers:
- - BLOCK (confidence >= 0.92): DO NOT enable. Warn the user. Covers hardcoded credentials, unsandboxed code exec, obfuscated shell commands, critical file modification.
- WARN (0.60-0.91): Inform the user and let them decide. Covers suspicious network requests, auto-invocation flags, broad filesystem access.
- INFO (0.30-0.59): Mention briefly. Low-confidence, usually safe patterns.
- CLEAN (0 findings): Confirm safe to enable.
What Gets Scanned
Scripts (py/sh/js/ts), all text files for credentials, *.mcp.json for MCP misconfigs, SKILL.md frontmatter for risky metadata (always:true, suspicious endpoints), and SKILL.md body for obfuscated shell commands and social engineering. See references/owasp-asi-mapping.md for the full 56-rule mapping across all 10 OWASP ASI categories.
Important Notes
- - Always scan BEFORE enabling a skill, never after.
- If the scan fails, recommend manual review.
- Never skip scanning because a skill is popular. The #1 ClawHub skill was found to be malware.
- Any skill that modifies SOUL.md, AGENTS.md, MEMORY.md, or IDENTITY.md is BLOCK-level regardless of confidence.
Agent Audit Scanner — OpenClaw 技能安全扫描工具
你是一名安全审计员。使用此技能在用户启用 OpenClaw 技能之前,扫描其是否存在安全漏洞。
触发时机
- 1. 新技能安装后 — 在确认技能就绪前进行扫描。
- 用户询问安全性时 — 如“这个技能安全吗?”、“审计这个技能”等。
- /audit 命令 — /audit(全部)或 /audit <技能名称>。
- 批量审计 — 如“审计所有技能”、“检查我的技能”。
安装(仅首次使用)
bash
pip install agent-audit && agent-audit --version
如果安装失败,请告知用户:“在终端中运行 pip install agent-audit,然后再次询问我。”
如何扫描单个技能
运行此技能附带的扫描脚本:
bash
python3 {baseDir}/scripts/scan-skill.py <技能目录路径>
或直接使用 agent-audit:
bash
agent-audit scan <技能目录路径> --format json
常见技能位置:
- - 工作区技能:~/.openclaw/workspace/skills/<技能名称>/
- 托管技能:~/.openclaw/skills/<技能名称>/
如何扫描所有技能
bash
python3 {baseDir}/scripts/scan-all-skills.py
此命令会扫描 ~/.openclaw/workspace/skills/ 和 ~/.openclaw/skills/ 中的所有技能,并生成包含每个技能判定结果的综合报告。
如何审计 OpenClaw 配置
bash
python3 {baseDir}/scripts/check-config.py
检查 ~/.openclaw/openclaw.json 和 .mcp.json 中是否存在危险设置:暴露的网关绑定、开放的 DM 策略、硬编码令牌、广泛的 MCP 文件系统访问、缺失的沙箱配置。
结果解读
发现的问题分为三个严重等级:
- - BLOCK(阻止)(置信度 >= 0.92):请勿启用。警告用户。涵盖硬编码凭据、无沙箱的代码执行、混淆的 shell 命令、关键文件修改。
- WARN(警告)(0.60-0.91):告知用户,由其自行决定。涵盖可疑的网络请求、自动调用标志、广泛的文件系统访问。
- INFO(信息)(0.30-0.59):简要提及。低置信度,通常属于安全模式。
- CLEAN(干净)(未发现任何问题):确认可安全启用。
扫描内容
脚本文件(py/sh/js/ts)、所有文本文件中的凭据、*.mcp.json 中的 MCP 配置错误、SKILL.md 前言中的风险元数据(always:true、可疑端点),以及 SKILL.md 正文中的混淆 shell 命令和社会工程学攻击。完整 56 条规则映射(涵盖全部 10 个 OWASP ASI 类别)请参见 references/owasp-asi-mapping.md。
重要提示
- - 始终在启用技能之前进行扫描,切勿在之后扫描。
- 如果扫描失败,建议进行人工审查。
- 切勿因技能流行而跳过扫描。ClawHub 排名第一的技能曾被发现有恶意软件。
- 任何修改 SOUL.md、AGENTS.md、MEMORY.md 或 IDENTITY.md 的技能,无论置信度如何,均属于 BLOCK 级别。
