Sx Security Audit 1.0.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent local security-audit skill, but it needs broad local inspection and can send reports to Feishu, so users should review outputs before sharing them.
Install only if you want a broad local security audit. Run it with least privilege, verify the source if possible, inspect any .security-audit.json configuration, and review/redact generated reports before sending them to Feishu or another endpoint.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the audit can execute local inspection commands and reveal system, dependency, and port information in the report.
The skill invokes local system/dependency inspection commands. This is expected for a security audit, but users should know it can inspect the local environment and may behave differently depending on installed tools and privileges.
运行 `npm audit --json` 检查 NPM 依赖漏洞 ... 使用 `lsof -i -P -n` 检查监听端口
Run it intentionally, prefer scoped checks with --check when possible, and avoid sudo/root unless you specifically need checks that require it.
The generated report may reveal where credentials or sensitive configuration issues exist on the machine.
The audit intentionally inspects credential-adjacent paths and environment variables for security issues. This is purpose-aligned, but it touches sensitive areas.
检查 .ssh、.aws、.gnupg、OpenClaw 目录权限 ... 扫描当前进程环境变量中的敏感信息
Keep reports private, review them before sharing, and run with the least privilege needed for the checks you request.
Security findings, local paths, and summaries could be sent to the configured Feishu destination.
The Feishu helper reads the report file and posts formatted content to a webhook or configured plugin endpoint. This is disclosed, but it moves audit data outside the local machine.
full_report = f.read() ... urllib.request.Request(webhook_url, data=data
Only use trusted Feishu webhooks or plugin endpoints, and review or redact the report before sending.
It may be harder to verify who originally authored or packaged the skill.
The internal metadata differs from the registry owner/slug shown in the supplied metadata, and the source/homepage are unknown. This is a provenance note, not evidence of malicious behavior.
"ownerId": "kn7430vg2m3x4kthgg87bfw7bh82kmbh", "slug": "sx-security-audit"
Verify the publisher and inspect the included scripts before trusting the audit results or running with elevated privileges.