Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
sx-security-audit
v1.0.0全方位安全审计技能。检查文件权限、环境变量、依赖漏洞、配置文件、网络端口、Git 安全、Shell 安全、macOS 安全、密钥检测等。支持 CLI 参数、JSON 输出、配置文件。当用户要求"安全检查"、"漏洞扫描"、"权限检查"、"安全审计"时使用此技能。
⭐ 0· 210·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (security audit) matches the included scripts and reference docs. The checks (permissions, secrets, deps, git, ports, macOS checks, etc.) are implemented in the provided Python code and the references. Access to ~/.openclaw, workspace, home, and repo files is expected for this purpose.
Instruction Scope
Runtime instructions and scripts explicitly scan many sensitive locations (home directory, ~/.ssh, ~/.aws, shell history, environment variables, Git diffs, workspace recursive scans) which is normal for an audit tool but high-sensitivity. The skill also supports sending generated reports to Feishu (webhook or OpenClaw plugin API). Users should expect audit output may contain secrets discovered during scans.
Install Mechanism
No install spec is provided (instruction-only plus included scripts), so nothing external is downloaded by the registry. The scripts call external tooling (e.g., npm audit, lsof) as documented; that is proportional to the stated checks but may require those tools to be present.
Credentials
The skill declares no required environment variables, but the send-to-Feishu flow can use a FEISHU_WEBHOOK_URL or the OpenClaw plugin configuration (from ~/.openclaw/openclaw.json). The audit will scan current environment variables for sensitive patterns (expected for a secrets audit). No unrelated third-party credentials are requested in metadata.
Persistence & Privilege
always:false and no evidence of the skill trying to persist itself or modify other skills. It reads user config (~/.openclaw/openclaw.json) to find optional Feishu plugin settings but does not appear to alter other skill configs.
Assessment
This tool is coherent for security auditing but is powerful: it will scan your home directory, workspace, shell histories, environment variables, and Git history and may include discovered secrets in its report. Before running: (1) review the scripts locally to confirm you trust them (they are included in the package); (2) run audits in a controlled environment (or container) if you are concerned about accidental data exposure; (3) do not use the send-to-Feishu options unless you trust the target webhook or the OpenClaw plugin API endpoint (inspect ~/.openclaw/openclaw.json for configured apiEndpoint); (4) expect some checks (npm audit, lsof) to require additional tools or elevated privileges—run with least privilege necessary and review generated report content before broadcasting.scripts/security_audit.py:408
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978p84pqzz0z67b6bpprn8fr182s8xx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.