中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
skill-guard
Claude Code / OpenClaw Skill security auditing tool with always-active hook interception + static/LLM scanning + sandbox behavioral testing
Skill Guard is a legitimate security auditing tool with no malicious behavior - all capabilities match documentation, no external dependencies, and proper sandbox isolation.
技能名称skill-guard
分析耗时61.0s
引擎pi
可以安装
This skill is safe to use. It provides valuable security auditing capabilities for Claude Code / OpenClaw skills.

安全发现 4 项

严重性 安全发现 位置
提示
Subprocess execution for sandbox 代码执行
sandbox_run.py uses subprocess.run() to execute target skill scripts with --help flag. This is the intended sandbox isolation mechanism.
subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, cwd=str(sandbox_dir), env=restricted_env)
→ This is legitimate security tool behavior - no action needed
 scripts/sandbox_run.py:195
提示
String segmentation for anti-AV detection 代码混淆
Threat keywords in regex patterns are constructed from string segments to prevent antivirus false positives. Explicitly documented as a defensive measure.
"crypt" + "onight"
→ This is a legitimate anti-AV technique used by security tools - no action needed
 scripts/quick_scan.py:80
提示
Sensitive path patterns are detection rules 敏感访问
Patterns referencing ~/.ssh, ~/.aws, etc. are regex detection rules for identifying malicious patterns in TARGET skills being scanned - not access attempts by this skill itself.
_KW_SENS_PATHS = "|".join(["\\.s" + "sh", "\\.a" + "ws", ...])
→ This is legitimate scanning behavior - no action needed
 scripts/quick_scan.py:102
提示
Session state persistence 权限提升
danger_guard.py persists session state to /tmp/skill-guard-hook/ to avoid re-blocking confirmed operations. Uses temp directory with user permissions.
SESSION_STATE_DIR = os.path.join(tempfile.gettempdir(), "skill-guard-hook")
→ Appropriate use of temp directory for session state - no security concern
 hooks/danger_guard.py:21
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md states Read tool usage for target skill files
命令执行 WRITE WRITE ✓ 一致 subprocess.run() in sandbox_run.py lines 195-211, danger_guard.py runs as PreToo…
网络访问 NONE NONE No network calls in code; sandbox explicitly denies network access
环境变量 NONE READ ✓ 一致 Reads USER, LANG from os.environ for sandbox env only
技能调用 WRITE WRITE ✓ 一致 SKILL.md declares skill_invoke capability for auditing other skills
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser access detected
数据库 NONE NONE No database access detected

目录结构

12 文件 · 109.6 KB · 2618 行
Python 3f · 1617L Markdown 6f · 935L JSON 3f · 66L
├─ 📁 .claude
│ └─ 📋 settings.local.json JSON 20L · 1.2 KB
├─ 📁 hooks
│ ├─ 🐍 danger_guard.py Python 420L · 16.8 KB
│ └─ 📋 hooks.json JSON 27L · 610 B
├─ 📁 references
│ ├─ 📝 checklist.md Markdown 162L · 6.3 KB
│ ├─ 📝 dangerous_commands.md Markdown 133L · 5.5 KB
│ ├─ 📝 known_threats.md Markdown 156L · 10.0 KB
│ └─ 📝 openclaw_adapter.md Markdown 186L · 5.5 KB
├─ 📁 scripts
│ ├─ 🐍 quick_scan.py Python 719L · 31.2 KB
│ └─ 🐍 sandbox_run.py Python 478L · 19.8 KB
├─ 📋 _meta.json JSON 19L · 549 B
├─ 📝 README.md Markdown 104L · 4.7 KB
└─ 📝 SKILL.md Markdown 194L · 7.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
Python standard library only N/A stdlib Uses json, os, re, sys, pathlib, subprocess, shutil, argparse, tempfile, uuid, math, base64 - no external packages

安全亮点

✓ No external dependencies - uses only Python standard library
✓ All capabilities declared in SKILL.md match actual implementation
✓ Proper sandbox isolation with macOS sandbox-exec or Linux restricted environment
✓ Network access explicitly denied in sandbox profile
✓ Session state stored in temp directory with user permissions
✓ Self-scan prevention with # noscan comments prevents false positives
✓ Comprehensive 8-dimension audit checklist for semantic analysis
✓ Known threat pattern database for detection
✓ No credential harvesting, no data exfiltration, no reverse shell patterns
✓ Code is well-documented and readable with clear intent
✓ Exit code 2 for blocking (standard hook convention) with user confirmation flow