CMIC Skill Scanner

v0.8.0

使用内置 Rust 引擎审计待安装的 skill 包或归档，并可选桥接外部 scanner。

⭐ 0· 140·0 current·0 all-time

by@cyzlmh

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cyzlmh/cmic-skill-scanner.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "CMIC Skill Scanner" (cyzlmh/cmic-skill-scanner) from ClawHub.
Skill page: https://clawhub.ai/cyzlmh/cmic-skill-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install cyzlmh/cmic-skill-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install cmic-skill-scanner

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

medium confidence

ℹ

Purpose & Capability

The skill's name and description (an audit/scanner) align with its instructions. However, the package claims a "built-in Rust engine" but contains no binary or code—it's an instruction-only wrapper that points users to prebuilt releases on Gitee or to building from source. This is explainable but worth noting: no engine is actually bundled.

✓

Instruction Scope

SKILL.md limits actions to scanning local targets, writing local reports, and optionally uploading structured JSON only when the user explicitly configures --upload-url. It explicitly states it will not access credentials, SSH config, or environment variables by default. The instructions do require the scanner to read target files (expected for this purpose).

ℹ

Install Mechanism

There is no install spec; the README instructs downloading prebuilt binaries from a Gitee Releases page or building from source. Gitee is a known host but is not as universally familiar as e.g., GitHub releases; the SKILL.md does provide a SHA256SUMS URL for verification. Because binaries would be fetched from an external host, users must verify checksums or build from source.

✓

Credentials

The skill declares no required environment variables, credentials, or config paths. The only optional data sent on upload is a structured JSON report and an instance-id supplied by the user. This scope of environment/credential access is proportionate to the declared functionality.

✓

Persistence & Privilege

The skill is not always-enabled and does not request persistent system-wide configuration. It is instruction-only and does not attempt to modify other skills or agent settings. Autonomous invocation by the agent is allowed (platform default) but not combined with other concerning privileges.

Assessment

This package is just documentation for a local scanner. If you plan to use the prebuilt binary, verify the SHA-256 checksum (and preferably build from source). Only enable --upload-url if you fully trust the destination (it will receive the structured findings and any instance identifier you provide). Note the small inconsistency: the description mentions a Rust engine but no binary is bundled here — you must obtain or build the scanner yourself. Inspect the release repo on Gitee before downloading, and prefer building from source for maximum assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qbf1pg1j54sqq171mvk79n858yn9

140downloads

0stars

13versions

Updated 5d ago

v0.8.0

MIT-0

Skill Scan Wrapper

当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时，使用这个 skill。

⚠️ Security Notice

This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).

Reference Package (No Binary)

This package contains only documentation. Pre-built binaries are hosted on Gitee Releases (open source, verifiable).

Download from Gitee Releases: https://gitee.com/random_player/cmic-skill-scanner/releases

Verify checksums before running: See https://gitee.com/random_player/cmic-skill-scanner/raw/main/releases/v0.8.0/SHA256SUMS

Build from source (recommended for maximum security):

git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release

前置条件

默认不需要任何外部依赖
--upload-url 和 --engine external 功能默认禁用，仅在用户显式配置时启用

信任模型

This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.

Your options:

Approach	Trust Requirement	Verification
Build from source	None (you control everything)	Manual code review
Bundled/downloaded binary	You trust the release host	SHA-256 checksum

What the tool does NOT do by default:

Does NOT upload data anywhere
Does NOT connect to the network
Does NOT access credentials, SSH configs, or environment variables
Does NOT execute external tools unless you explicitly configure --engine external

工作流程

调用 skillscan：

skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out

阅读输出中的：输入类型、完整度、engine 执行状态、findings

网络上传功能 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.

What gets sent (only when you configure --upload-url):

A structured JSON report containing detection findings
An instance identifier you supply via --instance-id
No skill source code, credentials, or system configuration is ever transmitted

外部引擎集成 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.

Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.

Permissions Required

Scope	Reason
Read files in target path	To analyze skill source code for patterns
Write to `--output-dir`	To save scan reports locally
Execute binary	To run the scanner engine
Network (optional)	Only if `--upload-url` is explicitly configured

Comments

Loading comments...