ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Li_codeQL_LLM

CodeQL 安全扫描与 LLM 智能分析融合工具。自动检测 CodeQL 安装、扫描指定目录、生成漏洞报告、LLM 分析、Jenkins 集成、输出验证 Checklist。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 77 · 0 current installs · 0 all-time installs
byTerry S Fisher@43622283
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the code: the package performs CodeQL scans, generates SARIF/Markdown reports, integrates with Jenkins and an LLM. However the metadata/registry declares no required env vars while the code and docs expect many environment/config values (OPENCLAW_GATEWAY_WS_URL, JENKINS_URL/JENKINS_TOKEN, GITEA_TOKEN, CODEQL_PATH, LLM_* flags). The skill therefore underreports what it needs and will require broad config/credential setup to function.
!
Instruction Scope
SKILL.md and code explicitly instruct creating databases, running codeql, and sending SARIF results to an OpenClaw LLM agent (OpenClawClient.connect()). Documentation also includes generating exploit payloads for '靶机' scenarios and shows Jenkins automation steps that suggest disabling CSRF and embedding credentials (examples use plaintext devops:devsecops). These instructions go beyond simple scanning: they direct network transmission of potentially large/ sensitive SARIF data to a remote agent and include insecure Jenkins operations.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which limits automatic risks. SKILL.md shows manual steps to download CodeQL from GitHub releases (a trusted host). Some guidance references installing an OpenClaw SDK from a local path and pip; nothing in the package auto-downloads arbitrary archives. Overall install risk is moderate but manual and requires user actions.
!
Credentials
Registry declares no required env vars or credentials, but the code and multiple docs expect and instruct use of many secrets/configs: JENKINS_USER/JENKINS_TOKEN, JENKINS_URL, GITEA_TOKEN, OPENCLAW_GATEWAY_WS_URL, CODEQL_PATH, LLM_* flags, and .env management. This mismatch is significant: the skill will attempt connections and operations that require sensitive tokens not declared up-front. Some docs even include example credentials and commands to disable Jenkins CSRF.
Persistence & Privilege
Skill does not set 'always: true' and does not request unusual persistent platform privileges. It can invoke an LLM agent via OpenClaw (autonomous agent invocation is allowed by default), which increases blast radius if the skill is enabled — but that is platform-normal and not itself an unexplained privilege.
What to consider before installing
This skill appears to implement CodeQL scanning plus optional LLM analysis, but there are several red flags you should consider before installing or running it: - Privacy vs behavior: The PRIVACY_AND_SECURITY.md claims 'no remote transmission' but the code (analyze_with_llm.py and integration docs) sends SARIF results to an OpenClaw LLM agent (OpenClawClient.connect()). If you enable LLM_AUTO_ANALYZE or configure OPENCLAW_GATEWAY_WS_URL, your scan data will be transmitted to that gateway/agent. Only enable LLM integration when you trust the gateway and understand what data is sent. - Undeclared secrets/configs: The registry metadata lists no required env vars, but the code and docs require/expect Jenkins tokens, Gitea tokens, CODEQL_PATH, and OpenClaw gateway settings. Treat these as required secrets: do not put them into source control; store them securely and follow principle of least privilege. - Jenkins guidance is risky: Several docs show plaintext example credentials (devops:devsecops) and even suggest disabling CSRF or using passwords instead of API tokens. Do not follow instructions that weaken Jenkins security in production; always use API tokens and avoid disabling CSRF. - Exploit generation: The skill can generate proof-of-concept payloads / exploitation steps (LLM_GENERATE_EXPLOIT, 'exploit' analysis mode). Only run those features against systems you are authorized to test (e.g., intentionally vulnerable lab/CTF environments). Disable exploit generation in audits of real projects. - Operational recommendations: Run the skill in an isolated/test environment first, review and sanitize the .env example and all example credentials, set LLM_AUTO_ANALYZE=false unless you intentionally want remote analysis, and inspect the code (analyze_with_llm.py, scanner.py, jenkins_integration.py) to confirm what is transmitted. If you use Jenkins/Gitea integration, create dedicated least-privilege tokens and rotate/revoke them after testing. If you want, I can list the exact files and lines that call OpenClawClient, subprocesses, or reference Jenkins/Gitea/credentials so you can review them before running.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975dndgdmhnj86sdjccnf7j8n837tdr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscodeql

SKILL.md

CodeQL + LLM 融合安全扫描 Skill

🎯 核心功能

本 Skill 实现 CodeQL 扫描与 LLM 智能分析的完整自动化流程:

  1. 自动检测 - 检查 CodeQL 是否安装及版本
  2. 安全扫描 - 扫描指定目录或靶机项目
  3. 报告生成 - 生成 SARIF 格式和 Markdown 格式报告
  4. LLM 分析 - 智能分析扫描结果,识别误报,给出优先级
  5. 验证清单 - 生成可执行的漏洞验证 Checklist

📦 前置要求

必需

  • CodeQL CLI (v2.10.0+)
  • Python 3.11+ (用于创建数据库)
  • uvpip (Python 包管理)

可选

  • Node.js (用于某些语言的分析)
  • Java JDK (用于 Java 项目分析)

🚀 快速开始

1. 检查环境

# 检查 CodeQL 是否安装
codeql --version

# 如果未安装,下载并解压
wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip codeql-linux64.zip -d /opt/codeql
ln -s /opt/codeql/codeql/codeql /usr/local/bin/codeql

2. 使用 Skill

在对话中直接请求:

扫描 /path/to/project 的安全漏洞

或指定靶机目录:

扫描 /root/devsecops-python-web 靶机,生成验证清单

📋 命令参考

基础扫描

# 扫描当前目录
codeql database create codeql-db --language=python --source-root=.
codeql database analyze codeql-db python-security-extended.qls \
  --format=sarif-latest --output=results.sarif

通过 Skill 调用

在 OpenClaw 会话中:

/codeql_scan /path/to/project

或直接描述需求:

帮我扫描这个项目,用 CodeQL 分析安全问题,然后生成报告

📊 工作流程

Step 1: 环境检测

# 检查 CodeQL
which codeql && codeql --version

# 检查支持的語言
codeql resolve languages

Step 2: 创建数据库

# Python 项目
codeql database create codeql-db \
  --language=python \
  --source-root=/path/to/project \
  --overwrite

Step 3: 运行分析

# 下载查询包
codeql pack download codeql/python-queries

# 运行分析
codeql database analyze codeql-db \
  /root/.codeql/packages/codeql/python-queries/*/codeql-suites/python-security-extended.qls \
  --format=sarif-latest \
  --output=codeql-results.sarif

Step 4: LLM 分析

将 SARIF 结果发送给 LLM:

import json

with open('codeql-results.sarif') as f:
    data = json.load(f)

# 提取关键信息
results = data['runs'][0]['results']
for r in results:
    print(f"规则:{r['ruleId']}")
    print(f"描述:{r['message']['text']}")
    print(f"位置:{r['locations'][0]['physicalLocation']['artifactLocation']['path']}")

LLM 分析内容:

  • 漏洞严重程度排序
  • 误报识别
  • 修复建议
  • 利用难度评估

Step 5: 生成报告

生成以下文件:

  1. CODEQL_SECURITY_REPORT.md - 完整扫描报告
  2. 漏洞验证_Checklist.md - 可执行的验证清单
  3. codeql-results.sarif - 原始结果(可上传 GitHub Security)

🎯 使用场景

场景 1: 靶机漏洞分析

扫描 /root/devsecops-python-web 靶机
- 识别所有安全漏洞
- 按 OWASP Top 10 分类
- 生成利用 payload
- 输出验证 Checklist

场景 2: 项目安全审计

扫描 /path/to/my-project
- 检测严重和高危漏洞
- 给出修复优先级
- 生成审计报告

场景 3: CI/CD 集成

# .github/workflows/security.yml
- name: CodeQL Scan
  run: |
    codeql database create db --language=python
    codeql database analyze db python-security-extended.qls \
      --format=sarif-latest --output=results.sarif

- name: LLM Analysis
  run: |
    # 调用 LLM 分析 results.sarif
    # 生成修复建议

📁 输出文件说明

1. CODEQL_SECURITY_REPORT.md

包含:

  • 执行摘要(漏洞总数、分布)
  • 按严重程度分类的详细信息
  • 每个漏洞的代码位置、描述、修复建议
  • 统计图表

2. 漏洞验证_Checklist.md

包含:

  • 可打印的检查清单
  • 每个漏洞的验证步骤
  • 测试 payload 和命令
  • 预期结果
  • 截图/日志记录项

3. codeql-results.sarif

  • 标准 SARIF 格式
  • 可上传到 GitHub Security
  • 可用 VS Code SARIF Viewer 查看

🔧 配置选项

扫描语言

# Python
--language=python

# JavaScript
--language=javascript

# Java
--language=java

# Go
--language=go

# 多语言
--language=python,javascript

查询套件

# 安全扩展(推荐)
python-security-extended.qls

# 代码质量
python-code-quality.qls

# 安全与质量
python-security-and-quality.qls

# 代码扫描(默认)
python-code-scanning.qls

输出格式

# SARIF(推荐)
--format=sarif-latest

# CSV
--format=csv

# JSON
--format=json

🐛 常见问题

Q: CodeQL 数据库创建失败?

A: 确保项目可以正常构建:

# Python 项目
python -m pip install -r requirements.txt

# 然后创建数据库
codeql database create db --language=python

Q: 扫描结果太多?

A: 使用过滤:

# 只看严重和高危
codeql database analyze db python-security-extended.qls \
  --rerun --checkout=latest \
  --sarif-category=severity \
  --output=results.sarif

Q: 如何减少误报?

A:

  1. 使用 python-security-extended.qls 而非 python-code-scanning.qls
  2. 让 LLM 分析识别误报
  3. 手动验证关键漏洞

📚 相关资源

🎓 示例会话

完整流程示例

用户: 扫描 /root/devsecops-python-web 靶机

助手:

  1. ✅ 检测 CodeQL 已安装 (v2.22.1)
  2. ✅ 创建数据库 (13 个 Python 文件)
  3. ✅ 运行 52 条安全查询
  4. ✅ 发现 30 个漏洞
  5. ✅ 生成报告:
    • CODEQL_SECURITY_REPORT.md
    • 漏洞验证_Checklist.md
    • codeql-results.sarif

用户: 分析最严重的 3 个漏洞

助手:

  1. SQL 注入 - 行 44 - 利用:' OR '1'='1
  2. 代码注入 - 行 138 - 利用:__import__('os').system('id')
  3. 命令注入 - 行 88 - 利用:; cat /etc/passwd

详细利用方法见报告...

版本: 1.0.0
作者: OpenClaw Community
许可: MIT

Files

78 total
Select a file
Select a file to preview.

Comments

Loading comments…