Skill Auditor
v1.0.3Security audit + append-only logging + monitoring for OpenClaw skills (file-level diff, baseline approval, SHA-256 integrity). Requires Python ≥3.9 and git.
⭐ 0· 26·0 current·0 all-time
byucloud-securiry@ucloud-security
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (security audit, file diff, SHA-256, baseline approval) match the included Python scripts and JSON config. Requested runtime (Python ≥3.9 and git) is exactly what the tool needs for local scanning, git snapshots, and logging. The presence of risk patterns and rules (network / dangerous-command needles) is appropriate for a scanner that must detect those strings.
Instruction Scope
The SKILL.md and the scripts consistently describe a local static-analysis workflow: reading files under workspace/skills, running git subprocesses, computing hashes, and appending NDJSON logs. The skill explicitly states it will not execute audited skill code. Important privacy note: the scanner reads skill files and stores snippets/evidence and extracted domains in logs; these logs (and git snapshots) may therefore contain sensitive data if any audited skill stores secrets in files. The SKILL.md enforces use of a 'show' command and warns against pushing full diffs by default — consistent with safer behavior, but users should confirm that logs and snapshots are protected.
Install Mechanism
No remote install/downloads or third-party package installs are declared. The package is instruction + local Python scripts (no install spec). That is the lowest-risk install pattern for this kind of tool.
Credentials
The skill requests no environment variables, credentials, or external endpoints. That is proportionate. However, the scanner intentionally looks for sensitive-path patterns (e.g., ~/.ssh, aws keys) and will record evidence snippets and domains — so while it doesn't require your secrets, it may surface and store them if they are present in audited skill files. Users should restrict file-system access to the audit directory and logs (~/.openclaw/skills-audit).
Persistence & Privilege
The skill does not set always:true and does not attempt to modify other skills' configuration. It writes its own state/logs/snapshots under ~/.openclaw/skills-audit and has commands to create/manage baseline approvals; those are expected behaviors for an audit tool. The SKILL.md explicitly instructs agents not to auto-create cron jobs, which reduces unwanted persistence.
Scan Findings in Context
[DYNAMIC_EXEC (subprocess.run / subprocess.Popen)] expected: Both scripts use subprocess.run to invoke git and Python (for scan/show). This is required for performing git snapshots and invoking the local audit runner; presence of subprocess usage is expected behavior for a file-diff/audit tool.
[NETWORK_GENERAL / network needles in config (http://, https://, curl|wget strings)] expected: The repository includes many network-related strings inside config/risk-rules.json and semantic-patterns.json as detection signatures. Static scanners may flag these strings, but they are data used to detect network patterns, not active network calls. The Python code explicitly avoids using HTTP client libraries.
[SENSITIVE_PATHS / sensitive-file needles present in rules] expected: Config includes needles for sensitive paths (e.g., ~/.ssh, /etc/shadow). This is appropriate for a tool that must detect references to sensitive files; however, it also means the tool may log snippets if such paths appear in audited skill files — verify log access controls.
Assessment
This skill appears to do what it claims: local static scanning, git snapshots, baseline approval, and append-only logging. Before installing or enabling it: (1) Inspect and confirm the log/snapshot path (~/.openclaw/skills-audit) and set filesystem permissions so only authorized users can read it, because logs may include snippets from scanned files (including secrets if present). (2) Run the scanner manually once in a controlled environment to observe outputs before allowing automated cron runs. (3) Do not allow the Agent to auto-create cron jobs; follow the SKILL.md guidance to create any scheduled tasks manually after review. (4) If you need absolute assurance that no network calls occur, review the scripts for any added dependencies or changes (the shipped code currently avoids HTTP clients). (5) If you plan to audit sensitive or production skills, consider running the scan inside a sandboxed account or VM and rotate access to the audit directory. All of the notable static 'dangerous' strings are detection rules (expected) rather than evidence of outbound network/exfiltration behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97bwa32mae7scywnv0gxp424584r3e8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.