Security Audit

Minimal helper to audit skill.md-style instructions for supply-chain risks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 787 · 2 current installs · 2 all-time installs

by@cerbug45

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (security-audit) aligns with the included audit.py and README/SKILL.md. The only required binary is python3, which is appropriate for a Python script; there are no unrelated env vars, credentials, or surprising dependencies.

ℹ

Instruction Scope

SKILL.md tells the agent/user to run `python audit.py path/to/skill.md`. audit.py reads only the supplied file and performs regex-based heuristics for exfiltration, file-access, and shell patterns, then prints a risk summary. It does not perform network calls or read other system files itself. Note: it flags mentions of sensitive paths/keywords but does not automatically inspect those other paths.

✓

Install Mechanism

There is no install spec; the skill is instruction-only with a bundled audit.py. That is low-risk — nothing is downloaded or extracted from external URLs and the code is present in the bundle for review.

✓

Credentials

No environment variables, credentials, or config paths are requested. The tool's scope does not require secrets or external tokens.

✓

Persistence & Privilege

always is false, model invocation is normal, and the skill does not attempt to modify agent/system configuration or persist credentials. It runs on-demand and has no elevated privileges.

Assessment

This skill appears coherent and low-risk: it's a local Python script that heuristically scans a single skill.md for suspicious patterns. Before using it, quickly eyeball audit.py yourself (it's short and included), and be aware it only searches text with simple regexes (it can miss obfuscated strings, multi-file issues, or nested downloads). Don't rely solely on its output — treat it as a first-pass aid and perform manual review for anything flagged. If you plan to scan skill files containing secrets, run the tool on a sanitized copy or in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0

Download zip

latestvk979pc5rygx8yp58ypzea0353981b97t

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

SKILL.md

security-audit

Minimal helper to audit skill.md-style instructions for supply-chain risks.

Features

Heuristic scan for exfiltration patterns (HTTP POST, curl to unknown domains, reading ~/.env, credential keywords).
Permission manifest reminder: lists filesystem/network touches it sees.
Safe report: markdown summary + risk level.

Usage

python audit.py path/to/skill.md > report.md

Files

4 total

Select a file

Select a file to preview.

Comments

Loading comments…