个人中心
今日签到
私信列表
消息中心
搜索全站
q_code

扫码关注官方微信
cell_code

扫码下载APP
返回顶部
技能集市 > AI智能 > neckr0ik-security-scanner
n

neckr0ik-security-scanner安全扫描器

Security audit tool for OpenClaw skills. Scans skill directories for common vulnerabilities including hardcoded secrets, unsafe shell commands, prompt injection risks, unauthorized network access, and code execution dangers. Use when auditing skills before installation, reviewing skill code for security issues, or validating skills for ClawHub publication.

作者: admin | 来源: ClawHub
下载
源自
ClawHub
版本
V 1.0.0
安全检测
已通过
242
下载量
免费
免费
0
收藏
概述
安装方式
版本历史

neckr0ik-security-scanner

技能安全审计

在安装或发布前扫描OpenClaw技能的安全漏洞。

快速开始

bash

审计单个技能


skill-security-audit audit /path/to/skill-folder

审计所有已安装技能

skill-security-audit audit-all

生成安全报告

skill-security-audit report /path/to/skill-folder --format json

检测内容

严重问题(阻止安装)

问题描述风险等级
硬编码密钥代码中的API密钥、令牌、密码严重
Shell注入
未经过滤的shell命令输入 | 严重 | | 代码执行 | eval()、exec()、动态代码执行 | 严重 | | 未授权网络 | 调用未知/可疑域名 | 严重 |

高危问题(需审查)

问题描述风险等级
提示注入系统提示中包含未经净化的用户输入高危
文件路径遍历
用户输入中未检查的文件路径 | 高危 | | 权限过大 | 请求不必要的系统访问权限 | 高危 |

中等问题(警告)

问题描述风险等级
过时依赖包含已知CVE的包中等
未固定版本
浮动的依赖版本 | 中等 | | 缺少许可证 | 没有用于分发的许可证文件 | 中等 |

安全模式

良好模式:环境变量

python

正确:从环境加载密钥


import os
apikey = os.environ.get(OPENAIAPI_KEY)

不良模式:硬编码密钥

python

危险:代码中的密钥


api_key = sk-abc123def456... # 切勿这样做

良好模式:净化输入

python

正确:验证并净化


import re
def safe_filename(name):
return re.sub(r[^a-zA-Z0-9_-], , name)

不良模式:Shell注入

python

危险:用户输入到shell


os.system(fconvert {user_file} output.png) # 切勿这样做

运行审计

重要:自扫描结果

运行 skill-security-audit audit skill-security-audit/ 时,您会看到模式定义本身的发现结果。这是预期行为——扫描器会检测其自身文档中的示例模式。这些并非真实漏洞。

对于实际技能审计,这将产生准确结果。

单个技能审计

bash
skill-security-audit audit ./my-skill/

输出:

  • - 通过/失败状态
  • 发现的漏洞列表
  • 严重等级
  • 修复建议

批量审计(所有已安装技能)

bash
skill-security-audit audit-all

扫描 ~/.openclaw/skills/ 并报告所有已安装技能。

报告格式

bash

JSON格式,用于CI/CD集成


skill-security-audit audit ./skill/ --format json

Markdown格式,用于文档

skill-security-audit audit ./skill/ --format markdown

摘要格式,用于快速审查

skill-security-audit audit ./skill/ --format summary

CI/CD集成

添加到您的技能发布流水线:

yaml

.github/workflows/publish.yml


  • - name: 安全审计

run: skill-security-audit audit ./skill/

退出代码:

  • - 0:未发现问题
  • 1:发现中等问题(警告)
  • 2:发现严重问题(阻止)

发布安全技能

在发布到ClawHub之前:

  1. 1. 运行 skill-security-audit audit ./your-skill/
  2. 修复所有严重和高危问题
  3. 在README中记录任何必需的密钥
  4. 包含带有占位符值的 .env.example
  5. 重新运行审计以确认干净

参见

  • - references/vulnerabilities.md — 完整漏洞数据库
  • references/remediation.md — 如何修复常见问题
  • scripts/audit.py — 主审计脚本

标签

skill ai

通过对话安装

该技能支持在以下平台通过对话安装:

OpenClaw WorkBuddy QClaw Kimi Claude

方式一:安装 SkillHub 和技能

帮我安装 SkillHub 和 neckr0ik-security-scanner-1776198898 技能

方式二:设置 SkillHub 为优先技能安装源

设置 SkillHub 为我的优先技能安装源,然后帮我安装 neckr0ik-security-scanner-1776198898 技能

通过命令行安装

skillhub install neckr0ik-security-scanner-1776198898

下载

⬇ 下载 neckr0ik-security-scanner v1.0.0(免费)

文件大小: 14.78 KB | 发布时间: 2026-4-15 10:26

v1.0.0 最新 2026-4-15 10:26
Initial release of neckr0ik-security-scanner.

- Scans OpenClaw skill directories for critical, high, and medium security issues
- Detects hardcoded secrets, shell injection, code execution, prompt injection, and more
- Provides CLI commands for single-skill and batch audits
- Generates security reports in JSON, Markdown, and summary formats
- Includes CI/CD integration instructions and recommended security patterns
- Documents remediation steps and references for skill publishing best practices

相关推荐

s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392958
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392957
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3195 ⬇ 389589
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3177 ⬇ 386644
AI智能

多链集团旗下-闲社网

闲社网热线
免费联系电话
0527-80111111
            qqline

服务时间:周一到周日 8:00-24:00

  • 公众号
    闲社 闲社线报社区
关注闲社网
  • wxkf

    闲社在线客服

  • wx

    关注闲社网微信

  • app

    闲社网APP

Archiver·手机版·闲社网·闲社论坛·羊毛社区· 多链控股集团有限公司 · 苏ICP备2025199260号-1

Powered by Discuz! X5.0   © 2024-2025 闲社网·线报更新论坛·羊毛分享社区·http://xianshe.com

p2p_official_large
返回顶部