Skill Safe Install
v2.0.1Skills 安全安装工具 - 整合 Vetter 代码审查 + ClawHub 评分 + ThreatBook 沙箱扫描三层验证
⭐ 0· 410·4 current·4 all-time
by想开电动车@chj0w0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match what the package does: it vetts skill code, queries ClawHub for ratings, and uploads a packaged skill to ThreatBook for sandboxing. Required binaries (node, curl, tar, zip) and THREATBOOK_API_KEY are appropriate for the documented functionality.
Instruction Scope
The runtime instructions and the included script download the target skill via `clawhub install`, scan files locally, then package and upload the skill to the external ThreatBook sandbox. That behavior can leak entire skill source trees (possibly containing sensitive code or secrets). The README suggests aliasing/wrapping `clawhub install` in your shell to force-check every install, which would cause automatic uploads of all skills to the third-party sandbox. The SKILL.md also instructs writing the API key to ~/.openclaw/.env (which is not the same as exporting an env var), a potential operational mismatch.
Install Mechanism
There is no remote install step — the script is included in the skill bundle (scripts/safe-install.mjs), so nothing is fetched/installed from arbitrary URLs at install time. The script uses child_process/execSync to run clawhub and other shell commands, which is expected for a wrapper tool but increases runtime risk if invoked with elevated privileges or used as an automatic wrapper.
Credentials
The only required env var is THREATBOOK_API_KEY (primary credential), which is justified for uploading files to ThreatBook. However: 1) Uploading skill archives to a third-party sandbox will transmit potentially sensitive code/data. 2) The README suggests storing the key in ~/.openclaw/.env rather than exporting it; unless your runtime sources that file, the script may not see the key. 3) The script runs `clawhub` commands which may require ClawHub credentials (CLAWHUB_TOKEN) in some environments—this token is mentioned only as optional in docs, but failure to authenticate could change behavior. These are proportional to the stated purpose but present privacy/operational concerns.
Persistence & Privilege
The skill does not set always:true and does not auto-enable itself. However, SKILL.md recommends adding an alias/function to ~/.bashrc that overrides `clawhub` to route installs through this tool; if a user follows that, it effectively forces the tool into all install workflows and increases its blast radius. The skill itself does not automatically persist or modify other skills' configs, but the recommended integration pattern can create persistent, automatic behavior.
What to consider before installing
This skill appears to do what it says (local vetting + ClawHub rating + ThreatBook sandbox), but it will package and upload entire skill code to a third‑party service. Before installing, consider: 1) Do not alias/overwrite your `clawhub` command system-wide until you’ve tested the script — that alias would make every install automatically upload code to ThreatBook. 2) Review scripts/safe-install.mjs yourself to confirm exactly what is uploaded and whether temporary directories are cleaned. 3) Be careful about placing sensitive or proprietary skills behind this flow; the tool warns not to upload secrets, but it is your responsibility to prevent that. 4) The README suggests echoing the API key into ~/.openclaw/.env — ensure your runtime actually loads that file or export the env var in your shell/CI so the script can authenticate. 5) Use --dry-run first and run the tool in a controlled environment (non-prod user) to observe behavior. If you must use it in CI, restrict the scanned artifacts to non-sensitive samples or ensure ThreatBook usage complies with your privacy policies.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🛡️ Clawdis
Binsnode, curl, tar, zip
EnvTHREATBOOK_API_KEY
Primary envTHREATBOOK_API_KEY
latest
Skills 安全安装工具
在安装任何 Skill 前自动执行三层安全检查,包括 Skill-Vetter 代码审查、ClawHub 评分检查 和 ThreatBook 沙箱扫描。
快速开始
1. 配置 API Key
# 获取微步在线 API Key: https://s.threatbook.com
echo 'THREATBOOK_API_KEY=your_api_key_here' >> ~/.openclaw/.env
2. 使用安全安装
# 替代 clawhub install,自动执行完整检查
node ~/.openclaw/workspace/skills/skill-safe-install/scripts/safe-install.mjs skill-name
# 或添加别名
alias clawhub-safe='node ~/.openclaw/workspace/skills/skill-safe-install/scripts/safe-install.mjs'
clawhub-safe skill-name
安全检查流程
┌─────────────────────────────────────────────────────────┐
│ Skills 安全安装流程 │
├─────────────────────────────────────────────────────────┤
│ │
│ 1️⃣ Skill-Vetter 代码审查 │
│ ├─ 检查红旗(恶意代码模式) │
│ ├─ 评估来源信任层级 │
│ ├─ 发现极端红旗 → ❌ 禁止安装 │
│ └─ 发现高风险 → ❓ 询问任务下达者 │
│ │
│ 2️⃣ ClawHub 评分检查 │
│ ├─ 评分 ≥ 3.5 → ✅ 通过,继续 │
│ └─ 评分 < 3.5 → ❓ 询问任务下达者 │
│ │
│ 3️⃣ ThreatBook 沙箱扫描 │
│ ├─ safe → ✅ 允许安装 │
│ ├─ suspicious → ❓ 询问任务下达者 │
│ ├─ malicious → ❌ 禁止安装 │
│ └─ API 失败 → ❓ 询问任务下达者 │
│ │
│ 4️⃣ 执行安装 │
│ │
└─────────────────────────────────────────────────────────┘
判定标准
第一层:Skill-Vetter 代码审查
检查内容:
- 🔴 极端红旗(直接拒绝):
curl|bash, 访问.ssh/,.aws/,eval(), 危险rm命令 - 🟡 高风险(需要确认):
exec(), 访问内存文件,sudo, 网络请求 - 🟢 低风险(允许): 标准文件操作,日志记录
信任层级:
| 来源 | 审查级别 |
|---|---|
| 官方 OpenClaw | 较低审查 |
| 已知作者 | 中等审查 |
| 未知来源 | 最高审查 |
第二层:ClawHub 评分检查
| 评分 | 判定 | 操作 |
|---|---|---|
| ≥ 3.5 分 | ✅ 高评分 | 进入沙箱扫描 |
| < 3.5 分 | ⚠️ 低评分 | ❓ 必须询问任务下达者确认 |
第三层:ThreatBook 沙箱扫描
| 结果 | 含义 | 操作 |
|---|---|---|
| safe | 安全 | ✅ 允许安装 |
| suspicious | 可疑 | ❓ 必须询问任务下达者确认 |
| malicious | 恶意 | ❌ 禁止安装 |
| API 失败 | 无法访问 | ❓ 必须询问任务下达者是否继续 |
决策矩阵
| Vetter | 评分 | 沙箱 | 最终决策 |
|---|---|---|---|
| ✅ 通过 | ≥3.5 | safe | ✅ 直接安装 |
| ✅ 通过 | ≥3.5 | suspicious | ❓ 询问确认 |
| ✅ 通过 | <3.5 | 任意 | ❓ 询问确认 |
| ⚠️ 高风险 | 任意 | 任意 | ❓ 询问确认 |
| 🚨 极端风险 | 任意 | 任意 | ❌ 禁止安装 |
| 任意 | 任意 | malicious | ❌ 禁止安装 |
选项
| 选项 | 说明 |
|---|---|
--auto, --yes, -y | 自动模式(需要确认时自动询问任务下达者) |
--force | 强制安装(跳过可疑警告) |
--no-vetter | 跳过 Vetter 代码审查(不推荐) |
--no-scan | 跳过沙箱扫描(不推荐) |
--dry-run | 仅检查,不实际安装 |
--timeout=<秒> | 沙箱扫描超时时间(默认 120 秒) |
--help | 显示帮助 |
退出码
| 退出码 | 含义 |
|---|---|
0 | 安装成功 |
1 | 检测到恶意代码,禁止安装 |
2 | 文件可疑,等待确认 |
3 | API 调用失败 |
4 | 评分过低,等待确认 |
5 | 用户取消安装 |
6 | Vetter 发现极端红旗 |
环境变量
| 变量 | 必需 | 说明 |
|---|---|---|
THREATBOOK_API_KEY | ✅ | 微步在线沙箱 API Key |
CLAWHUB_TOKEN | ❌ | ClawHub 认证 Token(如需要) |
红旗检测规则
🚨 极端风险(直接拒绝)
curl ... | bash- 远程代码执行wget ... | bash- 远程代码执行- 访问
~/.ssh/- SSH 密钥窃取 - 访问
~/.aws/- AWS 凭证窃取 rm -rf /- 危险删除命令- 读取
/etc/passwd,/etc/shadow- 系统文件
🔴 高风险(需要确认)
eval()- 代码注入风险exec()- 命令执行- 访问
MEMORY.md,USER.md,SOUL.md- 记忆文件 sudo- 提权操作- 发送数据到外部服务器
🟡 中风险(记录)
child_process- 子进程net.connect- 网络连接base64 decode- 解码操作localStorage- 存储访问
🟢 低风险(允许)
fs模块 - 文件操作fetchHTTP 请求 - 网络请求mktemp,/tmp/- 临时文件
输出示例
成功安装
🛡️ 开始 Skills 安全安装流程
📋 检查 Skill: tavily-search
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第一步:Skill-Vetter 代码审查
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
👤 作者:openclaw
📅 更新时间:2026-02-20
📦 版本:1.0.0
📊 信任层级评估...
✅ 官方 OpenClaw Skill - 较低审查
📄 发现 2 个脚本文件
✅ 未发现红旗
风险等级:🟢 LOW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第二步:ClawHub 评分检查
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ 评分:4.2/5.0 (高评分,通过)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第三步:ThreatBook 沙箱扫描
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📤 上传文件到沙箱...
⏳ 等待分析结果...
✅ 分析完成
📊 扫描结果:
判定:SAFE
威胁等级:clean
可信度:98%
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
安全检查通过,开始安装...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ tavily-search 安装完成!
发现极端红旗
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第一步:Skill-Vetter 代码审查
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📄 发现 3 个脚本文件
⚠️ 发现 2 个潜在问题:
🚨 Curl pipe to bash (scripts/install.sh:15)
🚨 Accessing .ssh directory (scripts/setup.js:8)
风险等级:⛔ EXTREME
🚨 发现极端危险代码,禁止安装!
红旗列表:
🚨 Curl pipe to bash (scripts/install.sh:15)
🚨 Accessing .ssh directory (scripts/setup.js:8)
发现高风险(v2.0 新格式)
🛡️ 开始 Skills 安全安装流程 v2.0
📋 检查 Skill: some-skill
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第一步:Skill-Vetter 代码审查
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 信任层级评估...
⚠️ 未知作者 - 最高审查
📄 发现 3 个脚本文件
⚠️ 发现 3 个潜在问题:
🔴 Use of eval() (main.js:45)
🔴 Accessing memory files (config.js:12)
🟡 Network module (utils.js:5)
风险等级:🔴 HIGH
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第二步:ClawHub 评分检查
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ 评分:4.2/5.0 (高评分,通过)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
第三步:ThreatBook 沙箱扫描
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📤 上传文件到沙箱...
✅ 分析完成
📊 扫描结果:
判定:SAFE
威胁等级:clean
可信度:95%
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 复核结果摘要
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┌─────────────────────────────────────────────────────┐
│ 三层安全检查结果 │
├─────────────────────────────────────────────────────┤
│ 1️⃣ Vetter 审查 🔴 需确认 │ 风险:HIGH │
│ 2️⃣ ClawHub 评分 ✅ 通过 │ 评分:4.2/5.0 │
│ 3️⃣ ThreatBook ✅ 通过 │ 结果:safe │
└─────────────────────────────────────────────────────┘
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 最终决策
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ 需要任务下达者确认:
• Vetter 发现 3 个潜在问题 (high 风险)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❓ 等待确认
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Skill: some-skill
以下问题需要您确认:
• Vetter 发现 3 个潜在问题 (high 风险)
是否继续安装?
输入 y 或 yes 继续,其他键取消
>
相关文件
SKILL.md- Skill 元数据和使用说明README.md- 完整文档SECURITY_PROCESS.md- 安全流程详解scripts/safe-install.mjs- 主安装脚本
注意事项
- API 配额: 免费账户有每日扫描次数限制
- 分析时间: 沙箱动态分析需要 1-2 分钟,默认超时 120 秒
- 文件大小: 单文件最大 100MB
- 隐私: 上传的文件会被微步在线分析,不要上传敏感/机密文件
- 网络: 需要能访问
api.threatbook.cn和 ClawHub API
更新日志
v2.0 (2026-02-28)
- 🆕 新增
--auto自动模式选项 - 🔄 重构决策逻辑为决策矩阵
- 📊 统一展示三层安全检查结果摘要
- 🎨 优化输出格式和用户体验
- 🐛 改进错误处理和堆栈跟踪
v1.1.0 (2026-02-27)
- 🎉 新增 Skill-Vetter 代码审查作为第一层检查
- 🎉 检测 25+ 种红旗模式
许可证
MIT License
Comments
Loading comments...