mathematical audit skills
v3.6.1Performs comprehensive mathematical audits of OpenClaw skills using complexity, pattern, entropy, graph theory, and statistical analyses with full security t...
⭐ 1· 140·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and included files: the code implements entropy, graph- and complexity-related metrics. The skill does not request unrelated credentials, binaries, or config paths. Minor documentation/version inconsistencies exist (examples: __init__.py lists 3.5.5, config.yaml shows 3.6.0 while SKILL.md and top-level skill.py claim 3.6.1; comments also reference a prior v6.0.0 enhancement). These appear to be documentation housekeeping issues rather than functional mismatches.
Instruction Scope
SKILL.md constrains runtime behavior (read-only file access, no network, no dynamic exec, no subprocess). The visible skill.py snippets use only standard libraries and AST-based static analysis patterns which align with the stated scope. SKILL.md includes verification commands (grep, bandit) you can run locally. However a portion of the package was truncated in the listing; you should still inspect the full skill.py for any uses of importlib, dynamic imports, socket, subprocess, eval/exec/compile, or file writes not matched by the truncated excerpt.
Install Mechanism
No install spec is provided (no external downloads or package installs). requirements.txt declares only standard-library modules. This is proportionate for a pure-Python tool that runs locally.
Credentials
The skill requires no environment variables, no credentials, and no config paths. That aligns with a local read-only auditor; there are no apparent requests for unrelated secrets.
Persistence & Privilege
Flags show always:false and model invocation allowed (normal). The package claims read-only operation and contains no install-time scripts or service/daemon installers. The changelog documents removal of prior release scripts that previously did file modifications, which reduces persistence risk — but you should still verify no file-write calls exist in the full code.
Assessment
This package appears to implement what it claims (a read-only mathematical audit) and asks for no credentials or installs. Before installing or running it on sensitive code: 1) open and scan the entire skill.py for any of: eval/exec/compile, importlib or __import__ usage, subprocess/socket imports/usage, or open(...,'w'|'wb') calls; 2) run the suggested grep checks and a local bandit scan (pip install bandit; bandit -r .); 3) run it in a sandbox or on non-sensitive/sample code first; 4) note the messy version history (several files list different versions) — prefer a release with consistent metadata or ask the maintainer to confirm the canonical release if you need high assurance. If you lack the ability to audit the full file, treat the skill as untrusted and run it isolated from sensitive repositories.Like a lobster shell, security has layers — review code before you run it.
code-auditvk9743s455mn0jfe7ygptz96dc984wdsacomplexity-analysisvk9743s455mn0jfe7ygptz96dc984wdsadeveloper-toolsvk9743s455mn0jfe7ygptz96dc984wdsalatestvk9743s455mn0jfe7ygptz96dc984wdsamathematical-analysisvk9743s455mn0jfe7ygptz96dc984wdsastatic-analysisvk9743s455mn0jfe7ygptz96dc984wdsa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.