skill-security-scanner 安全扫描报告 — 可信 | ClawSafe

5 /100

skill-security-scanner

Enterprise-Grade Skill Security Scanner - 自动检测 ClawHub / GitHub / 本地 Skill 的安全风险

Skill Security Scanner is a legitimate defensive security tool that scans AI skills for vulnerabilities. All capabilities are properly declared and necessary for its security scanning function.

技能名称skill-security-scanner

分析耗时28.9s

引擎pi

✓

可以安装

This skill is safe to use. It's a security-focused tool with appropriate capabilities for static analysis of target skills.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares file scanning capability
网络访问	`READ`	`READ`	✓ 一致	Downloads target skills for analysis - declared in '使用方法' section
命令执行	`WRITE`	`WRITE`	✓ 一致	Uses subprocess for static pattern matching - declared as '核心能力'
环境变量	`NONE`	`READ`	✓ 一致	Reads $HOME, $PATH for skills directory - necessary for batch scanning

7 严重 12 项发现

💀

严重危险命令危险 Shell 命令

rm -rf /

references/dangerous-commands.md:7

💀

严重危险命令危险 Shell 命令

rm -rf ~

references/dangerous-commands.md:8

💀

严重危险命令危险 Shell 命令

curl \| bash

references/dangerous-commands.md:10

💀

严重危险命令危险 Shell 命令

wget -O- \| sh

references/dangerous-commands.md:11

💀

严重危险命令危险 Shell 命令

curl https://... \| sh

references/dangerous-commands.md:12

💀

严重危险命令危险 Shell 命令

wget https://... \| bash

references/dangerous-commands.md:13

💀

严重危险命令危险 Shell 命令

wget \| bash

references/rules.md:125

🔗

中危外部 URL 外部 URL

https://clawhub.ai/AphobiaCat/aibtc

SKILL.md:82

🔗

中危外部 URL 外部 URL

https://clawhub.ai/chrisochrisochriso-cmyk/clawsec

SKILL.md:87

🔗

中危外部 URL 外部 URL

https://clawhub.ai/owner/skill-name

SKILL.md:148

🔗

中危外部 URL 外部 URL

https://wry-manatee-359.convex.site/api/v1/download?slug=$(echo

scripts/scan.sh:252

🔗

中危外部 URL 外部 URL

https://clawhub.ai/steipete/video-frames

scripts/scan.sh:394

目录结构

11 文件 · 68.0 KB · 1844 行

Markdown 4f · 1020L Shell 3f · 591L JavaScript 3f · 231L Text 1f · 2L

├─ ▾ 📁 node

│ ├─ 📜 index.js JavaScript 22L · 576 B

│ └─ 📜 scanner.js JavaScript 196L · 8.3 KB

├─ ▾ 📁 references

│ ├─ 📝 dangerous-commands.md Markdown 185L · 4.6 KB

│ └─ 📝 rules.md Markdown 192L · 6.1 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 run.sh Shell 3L · 83 B

│ ├─ 🔧 scan-all.sh Shell 116L · 4.2 KB

│ └─ 🔧 scan.sh Shell 472L · 21.9 KB

├─ 📜 index.js JavaScript 13L · 326 B

├─ 📝 SKILL_EN.md Markdown 183L · 4.9 KB

├─ 📝 SKILL.md Markdown 460L · 17.0 KB

└─ 📄 whitelist.txt Text 2L · 32 B

安全亮点

✓ Comprehensive documentation with clear capability declarations

✓ All shell/network operations are declared in SKILL.md

✓ Static analysis only - does not execute code from target skills

✓ Proper cleanup of temporary directories after scanning

✓ Includes whitelist mechanism for trusted skills

✓ Supports JSON/JSONL output for programmatic analysis

✓ Reference documentation clearly explains detection rules

✓ Legitimate security scanning use case