Skills Audit

The package is internally consistent with its stated purpose: a local, static skills auditor that snapshots skills, writes append-only logs, and optionally queries a remote intel service if the user supplies a token.

This skill appears to be what it says: a local static auditor and monitor. Before enabling it, note: (1) it will read all files under your workspace/skills and store snapshots and NDJSON logs under ~/.openclaw/skills-audit—these logs can include file snippets and paths, so review their permissions; (2) the optional remote intel lookup (QianXin SafeSkill) requires you to add your token to config/intelligent.json—leave it disabled unless you trust that service and understand that only a bundle MD5 is sent, not full files; (3) the tool executes local subprocesses such as git and the included helper scripts—ensure git is installed and review the scripts if you want to audit exact behavior; (4) the skill deliberately does not auto-create cron jobs, so you must explicitly add scheduling if desired; (5) minor implementation note: the code has a default config fallback for QianXin that may differ from the shipped intelligent.json default, but the shipped config sets enabled:false—verify config/intelligent.json to be sure remote queries remain disabled. If you need to be extra cautious, run the scanner once in a restricted environment, inspect ~/.openclaw/skills-audit/logs.ndjson, and keep the QianXin token empty.