skill-safety-auditor 安全扫描报告 — 低风险 | ClawSafe

12 /100

skill-safety-auditor

Perform comprehensive security audits on skills to identify vulnerabilities, unsafe patterns, and compliance issues

This is a legitimate security audit tool that performs static analysis via grep-based pattern matching with no malicious functionality found. The two 'critical' findings in the included audit report are false positives where the tool detects its own defensive regex patterns as hardcoded secrets.

技能名称skill-safety-auditor

分析耗时47.6s

引擎pi

✓

可以安装

No action needed. The skill performs documented static security analysis on target skills using pattern matching. The flagged 'secrets' are the tool's own detection patterns (e.g., "password.*=.*'") which are false positives - a known limitation of signature-based scanners. Consider improving the self-skip logic to prevent false positives when auditing the tool itself.

安全发现 2 项

严重性	安全发现	位置
提示	False positive secrets detection 文档欺骗 The included audit report (data/AUDIT-20260313-001.json) flags 2 'critical' findings, but these are false positives. The tool's defensive regex patterns (e.g., 'password.=.['"]') in the PATTERNS array match the scanner's own detection signatures. `password.=.['\"][^'\"]+['\"]` → This is a known limitation of signature-based scanners. The self-skip check on line 145 partially addresses this but misses when patterns are on different lines from the skip logic.	`scripts/audit-skill.sh:137`
提示	quick-scan.sh lacks self-skip check 文档欺骗 The quick-scan.sh script does not have a self-skip check like audit-skill.sh, causing it to report its own detection patterns as secrets when scanning itself. `grep -rn -E "api[_-]?key.=.['\"]\|password.=.['\"]...` → Add exclusion logic similar to audit-skill.sh to skip the scanner's own files.	`scripts/quick-scan.sh:36`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Reads target skill files for scanning (grep -rn)

目录结构

7 文件 · 21.2 KB · 775 行

Shell 4f · 476L Markdown 2f · 280L JSON 1f · 19L

├─ ▾ 📁 data

│ └─ 📋 AUDIT-20260313-001.json JSON 19L · 1016 B

├─ ▾ 📁 scripts

│ ├─ 🔧 audit-skill.sh Shell 281L · 8.7 KB

│ ├─ 🔧 list-audits.sh Shell 79L · 2.0 KB

│ ├─ 🔧 quick-scan.sh Shell 66L · 1.7 KB

│ └─ 🔧 test.sh Shell 50L · 1.2 KB

├─ 📝 README.md Markdown 46L · 1.2 KB

└─ 📝 SKILL.md Markdown 234L · 5.4 KB

安全亮点

✓ No credential harvesting or exfiltration detected

✓ No reverse shells, C2, or data theft mechanisms

✓ No base64-encoded payloads or obfuscation

✓ No malicious network connections

✓ No supply chain attacks or unpinned dependencies

✓ Documentation accurately describes tool capabilities

✓ Capability declarations match actual behavior

✓ Appropriate use of shell:WRITE for security scanning (documented and necessary)