CMIC Skill Scanner (Linux x64)

v0.8.0

使用内置 Rust 引擎审计待安装的 skill 包或归档，并可选桥接外部 scanner。

⭐ 0· 131·0 current·0 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cyzlmh/cmic-skill-scanner-linux-amd64.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "CMIC Skill Scanner (Linux x64)" (cyzlmh/cmic-skill-scanner-linux-amd64) from ClawHub.
Skill page: https://clawhub.ai/cyzlmh/cmic-skill-scanner-linux-amd64
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install cyzlmh/cmic-skill-scanner-linux-amd64

ClawHub CLI

Package manager switcher

npx clawhub@latest install cmic-skill-scanner-linux-amd64

Security Scan

Capability signals

Crypto

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The SKILL.md and INSTALL.md repeatedly describe a bundled precompiled binary at assets/bin/skillscan and local auditing behavior; however the registry metadata flagged this as an instruction-only skill and the provided file manifest does not include the binary itself. Claiming a bundled executable while not shipping it is an incoherence: users would need to obtain a binary from an external source or build from the referenced repo, which is not made explicit in the package files.

ℹ

Instruction Scope

Instructions are focused on scanning local skill directories and explicitly state network/upload features are disabled by default. They ask the tool to read target file paths and write output to an output-dir (expected for a scanner). Minor concern: the docs permit optional --upload-url and require an instance-id value, which would transmit structured findings (no source code per doc) — users should verify what exactly would be included before enabling uploads.

Install Mechanism

There is no install spec (lowest technical risk) but SKILL.md claims a bundled binary and provides a SHA-256; the package as presented does not contain the binary path it claims. The SKILL.md suggests cloning a Gitee repo and building from source — pulling code from an external repo is a reasonable option but differs from the 'bundled binary' claim and increases the user's burden to verify the source and checksum. This mismatch raises the chance a user will fetch an external binary from an untrusted location.

✓

Credentials

The skill declares no required environment variables, no primary credential, and no config paths. The documented runtime permissions (read target files, write output-dir, execute binary, optional network only if user supplies --upload-url) are proportional to a local scanning utility.

✓

Persistence & Privilege

The skill is not always-enabled and is user-invocable; it does not request persistent presence or modification of other skills. Autonomous invocation via the model is allowed (platform default) but is not combined with broad or unexpected privileges here.

What to consider before installing

Do not run or execute any binary until you confirm where it comes from. Steps to take before installing or using this skill: - Verify the package actually includes assets/bin/skillscan; if it does not, ask the publisher where to obtain the binary and why it was omitted. - If you must obtain a binary from the internet, get it only from a tracked release on a trusted host and verify the provided SHA-256 matches the file you downloaded. - Prefer building from source: clone the referenced repo, inspect the code, and build locally; confirm the built binary's checksum matches the one documented. - Be cautious enabling --upload-url; confirm (by reading code or by testing in an isolated environment) exactly what fields are transmitted in the JSON report and that no source code or secrets are included. - Consider running the scanner in an isolated environment (VM/container) until you confirm the origin and contents of the binary. Because the package claims a bundled executable but does not include it, treat the discrepancy as a red flag and request clarification from the publisher before trusting or executing any binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk97961q6687k6akfsrxttcmjps858j4d

131downloads

0stars

8versions

Updated 5d ago

v0.8.0

MIT-0

Skill Scan Wrapper

当你要在安装一个本地 skill、归档或 release bundle 前做一次快速安全检查时，使用这个 skill。

⚠️ Security Notice

This tool operates locally and requires user trust in the binary you run. Always verify the checksum after downloading. For maximum security, build from source (recommended).

Binary Included

Property	Value
Location	`assets/bin/skillscan`
Version	`v0.8.0`
Platform	`Linux x64`
SHA-256	`864f9a0189268139878c06bce7a127687f9e491a070d7c7345d22932c899bcd8`

Verify locally before running:

sha256sum assets/bin/skillscan
# Compare output with the SHA-256 value above

This bundled package includes a pre-compiled binary. You can still build from source if you prefer:

git clone https://gitee.com/random_player/cmic-skill-scanner.git
cd cmic-skill-scanner && cargo build --release

前置条件

默认不需要任何外部依赖
--upload-url 和 --engine external 功能默认禁用，仅在用户显式配置时启用

信任模型

This is an open-source (MIT-0) package. The binary (bundled or downloaded) is a convenience only — it does not grant any additional trust.

Your options:

Approach	Trust Requirement	Verification
Build from source	None (you control everything)	Manual code review
Bundled/downloaded binary	You trust the release host	SHA-256 checksum

What the tool does NOT do by default:

Does NOT upload data anywhere
Does NOT connect to the network
Does NOT access credentials, SSH configs, or environment variables
Does NOT execute external tools unless you explicitly configure --engine external

工作流程

调用 skillscan：

skillscan review /path/to/target --format markdown
skillscan review /path/to/skills --output-dir /tmp/skillscan-out

阅读输出中的：输入类型、完整度、engine 执行状态、findings

网络上传功能 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --upload-url.

What gets sent (only when you configure --upload-url):

A structured JSON report containing detection findings
An instance identifier you supply via --instance-id
No skill source code, credentials, or system configuration is ever transmitted

外部引擎集成 (默认禁用)

⚠️ This feature is completely optional and disabled by default. It requires explicit user configuration via --engine external.

Delegates pattern-matching to a user-configured local tool. This runs locally — no remote calls are made.

Permissions Required

Scope	Reason
Read files in target path	To analyze skill source code for patterns
Write to `--output-dir`	To save scan reports locally
Execute binary	To run the scanner engine
Network (optional)	Only if `--upload-url` is explicitly configured

Comments

Loading comments...