个人中心
今日签到
私信列表
消息中心
搜索全站
q_code

扫码关注官方微信
cell_code

扫码下载APP
返回顶部
技能集市 > AI智能 > skill-security-guide
s

skill-security-guide安全扫描指南

Security best practices guide for passing ClawHub security scans with "Benign" ratings. Use when creating or reviewing skills to ensure they meet security standards.

作者: admin | 来源: ClawHub
下载
源自
ClawHub
版本
V 1.0.1
安全检测
已通过
249
下载量
免费
免费
1
收藏
概述
安装方式
版本历史

skill-security-guide

技能安全指南

一份全面的指南,帮助您的技能以“良性”评级通过ClawHub安全扫描。

为何重要

ClawHub对所有上传的技能执行自动化安全扫描。未达到安全标准的技能会被标记为“可疑”,并在安装前向用户发出警告。

黄金法则:元数据格式

始终在SKILL.md中使用JSON格式作为元数据:

yaml


name: your-skill-name
description: Your skill description
homepage: https://example.com
metadata: {clawdbot:{emoji:🔧,requires:{bins:[python],packages:[package-name],env:[ENVVAR1,ENVVAR2]},primaryEnv:ENVVAR1}}

❌ 错误格式(YAML多行)

yaml
metadata:
requires:
bins: [python]
env: [KEY]

✅ 正确格式(JSON单行)

yaml
metadata: {clawdbot:{requires:{bins:[python],env:[KEY]}}}

安全检查清单

在向ClawHub提交技能之前:

SKILL.md

  • - [ ] 元数据为JSON单行格式
  • [ ] 所有必需的bins已声明(python、node等)
  • [ ] 所有必需的env变量已声明
  • [ ] primaryEnv已设置为主要凭据变量
  • [ ] 已指定清晰的emoji图标

代码安全

  • - [ ] 未禁用SSL验证(无ssl.CERT_NONE)
  • [ ] 日志/输出中未打印敏感信息
  • [ ] 凭据仅从环境变量读取
  • [ ] 仅访问已声明的API端点

文档

  • - [ ] 功能描述准确(无误导性声明)
  • [ ] 依赖项已完整声明
  • [ ] 所有文档文件保持一致

常见安全问题

问题1:元数据格式错误

症状:安全扫描显示“registry summary claimed Required env vars: none”

修复:将YAML多行转换为JSON单行

yaml

❌ 错误


metadata:
requires:
env: [KEY]

✅ 正确

metadata: {clawdbot:{requires:{env:[KEY]}}}

问题2:SSL验证已禁用

症状:安全扫描提到“insecure practices”

修复:移除禁用SSL的代码

python

❌ 错误


sslcontext = ssl.createdefault_context()
sslcontext.verifymode = ssl.CERT_NONE

✅ 正确

import urllib.request with urllib.request.urlopen(url, timeout=30) as response: ...

问题3:敏感信息泄露

症状:安全扫描提到“guidance that prints secret material”

修复:仅检查变量是否存在,不显示内容

powershell

❌ 错误


Write-Host SecretKey: $($env:SECRET_KEY.Substring(0,10))...

✅ 正确

if ($env:SECRET_KEY) { Write-Host ✅ Credentials configured }

问题4:误导性功能声明

症状:安全扫描提到“behavioral mismatch”或“misleading claim”

修复:确保文档与实际代码行为匹配

markdown

❌ 错误(如果代码实际上并未执行此操作)


Features


  • - Automatically removes watermarks

✅ 正确

Features

  • - Supports watermark control via API parameter

问题5:文档与代码不匹配(关键!)

症状:安全扫描提到“mismatches between the SKILL.md and the included script”

来自hunyuan-video/3d修复的真实案例

  • - 问题:SKILL.md将响应字段描述为Status,值为DONE,但代码检查的是SUCCESS
  • 结果:脚本可能无法正确解析真实的API响应

修复:确保SKILL.md准确描述:

  1. 1. 响应结构 - 字段名称和嵌套
  2. 状态值 - 所有可能的状态码及其含义
  3. 错误处理 - 错误如何返回和解析

python

❌ 错误(SKILL.md说Status: DONE,但代码检查了错误的值)


status = result.get(Status, )
if status == SUCCESS: # 与文档不匹配!

✅ 正确(与文档完全匹配)

status = result.get(Status) or result.get(JobStatusCode, ) if status in [DONE, SUCCESS, 4]: # 处理所有已记录的情况

最佳实践:使用真实的API响应测试您的技能,并验证代码是否完全按照SKILL.md中的文档进行解析。

完整示例:良性评级技能

yaml


name: tavily
description: AI-optimized web search via Tavily API. Returns concise, relevant results for AI agents.
homepage: https://tavily.com
metadata: {clawdbot:{emoji:🔍,requires:{bins:[node],env:[TAVILYAPIKEY]},primaryEnv:TAVILYAPIKEY}}

Tavily Search

AI-optimized web search using Tavily API.

Usage

bash
node {baseDir}/scripts/search.mjs your search query

Requirements

  • - Node.js installed
  • TAVILYAPIKEY environment variable set

Get your API key at: https://tavily.com

提交前验证

在提交前运行这些检查:

bash

1. 检查元数据格式


grep ^metadata: SKILL.md

2. 检查SSL禁用

grep -r CERT_NONE scripts/

3. 检查文档中的敏感信息

grep -i secretkey\|api_key README.md SKILL.md

4. 验证文档一致性

确保SKILL.md、README.md和package.yaml全部匹配

案例研究:修复hunyuan-video和hunyuan-3d

将技能从“可疑”修复为“良性”的真实案例。

初始问题

两个技能均被标记为“可疑”,存在以下问题:

问题hunyuan-videohunyuan-3d
元数据格式❌ YAML多行❌ YAML多行
SSL验证
❌ 已禁用 | ❌ 已禁用(3处) |
| 文档与代码不匹配 | ❌ 状态字段不匹配 | ❌ 状态值不匹配 |

应用的修复

1. 元数据格式(两个技能)

yaml

之前 ❌


metadata:
requires:
bins: [python]
env: [TENCENTSECRETID, TENCENTSECRETKEY]

之后 ✅

metadata: {clawdbot:{emoji:🎬,requires:{bins:[python],packages:[tencentcloud-sdk-python],env:[TENCENTSECRETID,TENCENTSECRETKEY]},primaryEnv:TENCENTSECRETID}}

2. SSL验证(两个技能)

python

之前 ❌


sslcontext = ssl.createdefault_context()
sslcontext.checkhostname = False
sslcontext.verifymode = ssl.CERT_NONE

之后 ✅

import urllib.request with urllib.request.urlopen(url, timeout=30) as response: ...

3. 文档与代码对齐

hunyuan-3d

  • - SKILL.md说:Status: DONE 表示成功
  • 代码检查:status == SUCCESS
  • 修复:将代码改为检查 status == DONE

hunyuan-video

  • - 不同的API使用不同的状态字段
  • 修复:统一处理,同时检查 Status 和 JobStatusCode

python

之前 ❌(仅检查一个字段)


status = result.get(Status, )
if status == SUCCESS:

之后 ✅(处理所有已记录的情况)

status = result.get(Status) or result.get(JobStatusCode, ) if status in [JobSuccess, SUCCESS, DONE, 4]: # 成功 elif status == 5 and result.get(ResultDetails) == [Success]: # 风格化API的特殊情况

结果

修复后:

  • - ✅ 元数据:JSON格式
  • ✅ SSL:标准HTTPS
  • ✅ 文档:与代码行为匹配
  • 最终评级:“良性”(高置信度)

与skill-creator-2的关系

本技能与skill-creator-2互补关系:

| 方面 | skill-creator-2 | skill-security-gu

标签

skill ai

通过对话安装

该技能支持在以下平台通过对话安装:

OpenClaw WorkBuddy QClaw Kimi Claude

方式一:安装 SkillHub 和技能

帮我安装 SkillHub 和 skill-security-guide-1776199606 技能

方式二:设置 SkillHub 为优先技能安装源

设置 SkillHub 为我的优先技能安装源,然后帮我安装 skill-security-guide-1776199606 技能

通过命令行安装

skillhub install skill-security-guide-1776199606

下载

⬇ 下载 skill-security-guide v1.0.1(免费)

文件大小: 3.74 KB | 发布时间: 2026-4-15 11:00

v1.0.1 最新 2026-4-15 11:00
- Added "Issue 5: Documentation-Code Mismatch (Critical!)" section with real-world example and fixes.
- Included a new "Case Study: Fixing hunyuan-video and hunyuan-3d" detailing how to resolve security issues for actual skills.
- Expanded documentation on aligning response fields, status values, and code to match SKILL.md.
- No changes to metadata or overall structure; this is a documentation expansion for clearer, more actionable security guidance.

相关推荐

s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392958
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3209 ⬇ 392957
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3195 ⬇ 389589
AI智能
s

self-improvement

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

⭐ 3177 ⬇ 386644
AI智能

多链集团旗下-闲社网

闲社网热线
免费联系电话
0527-80111111
            qqline

服务时间:周一到周日 8:00-24:00

  • 公众号
    闲社 闲社线报社区
关注闲社网
  • wxkf

    闲社在线客服

  • wx

    关注闲社网微信

  • app

    闲社网APP

Archiver·手机版·闲社网·闲社论坛·羊毛社区· 多链控股集团有限公司 · 苏ICP备2025199260号-1

Powered by Discuz! X5.0   © 2024-2025 闲社网·线报更新论坛·羊毛分享社区·http://xianshe.com

p2p_official_large
返回顶部