ClawHub

Pre-Publish Security Check

v1.0.0

Skill 发布前安全检查工具。在发布 skill 到 ClawHub 前,自动扫描敏感信息(API Key、Token、私钥、邮箱、手机号、精确坐标等)。Use before publishing any skill to prevent leaking private data.

0· 55·0 current·0 all-time
by@vlalamoon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the skill is a pre-publish scanner and the shipped shell script implements pattern checks for API keys, private keys, emails, phones, and coordinates as advertised. No unrelated credentials, binaries, or services are requested.
Instruction Scope
Instructions and script operate only on the supplied skill directory and print findings; they do not read other system paths or send data externally. Note: some grep patterns and --include filters are narrow (e.g., coordinate pattern expects comma-separated values, email regex only matches several common domains), so it may produce false negatives/positives. The SKILL.md and script instruct running the local shell script only.
Install Mechanism
No install spec or remote downloads; this is instruction-only plus a single local shell script. No external packages or archives are fetched or written to disk beyond the provided files.
Credentials
The skill declares no required environment variables or credentials and the script does not read secrets or environment variables beyond the provided SKILL_DIR argument. There is no disproportionate credential access requested.
Persistence & Privilege
The skill is not forced-always, requests no persistent presence, and does not alter other skills or system configuration. It is user-invocable and runs only when invoked.
Assessment
This appears to be a safe, local pre-publish scanner. Before using it: (1) review and, if needed, extend the regexes to match your expected key formats (the script's patterns are conservative and may miss or overmatch some cases); (2) run it locally or in CI on copies of skill directories—it does not send data anywhere; (3) be aware of false negatives (e.g., separate LNG/LAT assignments or uncommon email domains) and false positives; (4) ensure the script has the correct execution permissions and that you trust the skill source before running it on sensitive directories.

Like a lobster shell, security has layers — review code before you run it.

latestvk975m1edvgz0yb3fsm5atdrw2183ghy2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments