Install
openclaw skills install cmic-skill-scanner-bclinux21-amd64CMIC Skill Scanner (BCLinux 21 / 低版本 glibc Linux x64)
使用内置 Rust 引擎审计待安装的 skill 包或归档,并可选桥接外部 scanner。
Skill Scan Wrapper
当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时,使用这个 skill。
⚠️ Security Notice
This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).
Binary Included
| Property | Value |
|---|---|
| Location | assets/bin/skillscan |
| Version | v0.9.0 |
| Platform | bclinux21-amd64 |
| SHA-256 | b701a5cccbfb1d350b63f35656f6feb9862fac9e12940607ace95470a9bed27a |
Verify locally before running:
sha256sum assets/bin/skillscan
# Compare output with the SHA-256 value above
This bundled package includes a pre-compiled binary. You can still build from source if you prefer:
git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release
前置条件
- 默认不需要任何外部依赖
--upload-url和--engine external功能默认禁用,仅在用户显式配置时启用
信任模型
This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.
Your options:
| Approach | Trust Requirement | Verification |
|---|---|---|
| Build from source | None (you control everything) | Manual code review |
| Bundled/downloaded binary | You trust the release host | SHA-256 checksum |
What the tool does NOT do by default:
- Does NOT upload data anywhere
- Does NOT connect to the network
- Does NOT access credentials, SSH configs, or environment variables
- Does NOT execute external tools unless you explicitly configure
--engine external
工作流程
- 调用 skillscan:
skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out
- 阅读输出中的:输入类型、完整度、engine 执行状态、findings
网络上传功能 (默认禁用)
⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.
What gets sent (only when you configure --upload-url):
- A structured JSON report containing detection findings
- An instance identifier you supply via
--instance-id - No skill source code, credentials, or system configuration is ever transmitted
外部引擎集成 (默认禁用)
⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.
Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.
Permissions Required
| Scope | Reason |
|---|---|
| Read files in target path | To analyze skill source code for patterns |
Write to --output-dir | To save scan reports locally |
| Execute binary | To run the scanner engine |
| Network (optional) | Only if --upload-url is explicitly configured |