{ "schemaVersion": "1.0", "item": { "slug": "security-checker", "name": "Security Checker", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/johstracke/security-checker", "canonicalUrl": "https://clawhub.ai/johstracke/security-checker", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/security-checker", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security-checker", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "scripts/security_scan.py" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/security-checker" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/security-checker", "agentPageUrl": "https://openagent3.xyz/skills/security-checker/agent", "manifestUrl": "https://openagent3.xyz/skills/security-checker/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-checker/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Security Checker", "body": "Security scan Python skills before publishing to ensure code safety." }, { "title": "Quick Start", "body": "security_scan.py \n\nExamples:\n\n# Scan a single Python file\nsecurity_scan.py scripts/my_script.py\n\n# Scan an entire skill directory\nsecurity_scan.py /path/to/skill-folder\n\n# Scan multiple skills\nsecurity_scan.py skills/" }, { "title": "Dangerous Imports", "body": "Detects imports that could be used maliciously:\n\nos - System-level operations\nsubprocess - Command execution\nshutil - File operations\nsocket - Network operations\nurllib / requests - HTTP requests\n\nWhy dangerous? These imports enable system command execution, file manipulation, and network access that could be exploited." }, { "title": "Dangerous Functions", "body": "Detects potentially unsafe function calls:\n\nos.system() - Executes shell commands\nsubprocess.call(), subprocess.run(), subprocess.Popen() - Command execution\neval() - Executes arbitrary code\nexec() - Executes arbitrary code\n\nWhy dangerous? These can execute arbitrary commands or code, leading to remote code execution vulnerabilities." }, { "title": "Hardcoded Secrets", "body": "Detects tokens, keys, and passwords:\n\nAPI keys\nAuth tokens (including ClawHub tokens)\nPasswords\nPrivate keys\nJWT-like tokens\n\nWhy dangerous? Secrets leaked in published code can be stolen and abused." }, { "title": "Unsafe File Operations", "body": "Detects risky file access patterns:\n\nAbsolute file paths outside expected directories\nParent directory traversal (..)\nWriting to system directories\n\nWhy dangerous? Could lead to unintended file access, data loss, or system modification." }, { "title": "Usage Pattern: Pre-Publish Checklist", "body": "Before publishing any skill:\n\n# 1. Run security scan\nsecurity_scan.py /path/to/skill\n\n# 2. Review any warnings\n# If warnings appear, fix the code or document why it's safe\n\n# 3. Re-scan after fixes\nsecurity_scan.py /path/to/skill\n\n# 4. Only publish if scan passes\nclawhub publish /path/to/skill --slug my-skill ..." }, { "title": "✅ \"No security issues found\"", "body": "Code appears safe. Proceed with publishing." }, { "title": "⚠️ \"Warning\" (Yellow)", "body": "Potentially risky pattern detected. Review the specific line and decide:\n\nIs it legitimate? Document why in code comments or SKILL.md\nCan it be avoided? Refactor to safer alternatives\nIs it necessary? Clearly document the risk and purpose" }, { "title": "🔴 \"Possible hardcoded secret\"", "body": "Secret detected. Before publishing:\n\nRemove the secret\nUse environment variables instead: os.getenv('API_KEY')\nDocument required env variables in SKILL.md\nNever commit real secrets" }, { "title": "Legitimate os module usage (documented)", "body": "import os # Used only for path.join() - safe file path construction\nworkspace = os.path.join(os.path.expanduser(\"~\"), \".openclaw\", \"workspace\")\n\nScan result: ⚠️ Warning about os import\nAction: Document safe usage pattern in code comments" }, { "title": "Hardcoded secret (must fix)", "body": "API_KEY = \"sk-1234567890abcdef\" # DON'T DO THIS\n\nScan result: 🔴 Possible hardcoded secret\nAction: Remove and use environment variable:\n\nAPI_KEY = os.getenv(\"MY_SKILL_API_KEY\")\n# Document in SKILL.md: Requires MY_SKILL_API_KEY environment variable" }, { "title": "Safe pattern (no issues)", "body": "# JSON storage for local data only\ndata = {\"notes\": [], \"metadata\": {}}\nwith open(\"data.json\", \"w\") as f:\n json.dump(data, f)\n\nScan result: ✅ No issues" }, { "title": "Best Practices", "body": "Always scan before publishing - Make it part of your workflow\nReview warnings manually - The scanner can't judge context\nUse environment variables for secrets - Never hardcode\nPrefer json over eval - Safe parsing vs code execution\nDocument necessary risks - If dangerous code is required, explain why\nMinimize dangerous imports - Only use what's truly necessary\nKeep code simple - Complex code is harder to audit" }, { "title": "Before committing to repo", "body": "# Pre-commit hook concept\npython3 /path/to/security_scan.py scripts/\nif [ $? -ne 0 ]; then\n echo \"❌ Security scan failed. Fix issues before committing.\"\n exit 1\nfi" }, { "title": "Automated pre-publish check", "body": "#!/bin/bash\n# publish-safe.sh\n\nSKILL_PATH=$1\n\necho \"🔒 Running security scan...\"\npython3 /path/to/security_scan.py \"$SKILL_PATH\"\n\nif [ $? -ne 0 ]; then\n echo \"❌ Cannot publish: Security scan failed\"\n exit 1\nfi\n\necho \"✅ Security scan passed\"\nclawhub publish \"$SKILL_PATH\"" }, { "title": "Limitations", "body": "This scanner:\n\nCan't judge context - Some dangerous code may be legitimate\nStatic analysis only - Doesn't execute code\nPython-focused - Other languages need different tools\nBasic patterns - Sophisticated obfuscation may evade detection\n\nComplement with:\n\nManual code review\nTesting in isolated environment\nReading through all code before publishing\nUsing additional tools: bandit, safety" }, { "title": "Trust Building", "body": "Publishing skills that pass security scans builds trust in the community:\n\nUsers know you care about safety\nYour reputation improves\nSkills get adopted more readily\nClawHub may highlight safe skills" }, { "title": "Examples of Published Skills (All Scanned)", "body": "# research-assistant\nsecurity_scan.py /home/ubuntu/.openclaw/workspace/skills/research-assistant\n# ✅ All clear\n\n# task-runner \nsecurity_scan.py /home/ubuntu/.openclaw/workspace/skills/task-runner\n# ✅ All clear\n\n# security-checker\nsecurity_scan.py /home/ubuntu/.openclaw/workspace/skills/security-checker\n# ✅ All clear\n\nAll three skills passed security scans before publishing to ClawHub." } ], "body": "Security Checker\n\nSecurity scan Python skills before publishing to ensure code safety.\n\nQuick Start\nsecurity_scan.py \n\n\nExamples:\n\n# Scan a single Python file\nsecurity_scan.py scripts/my_script.py\n\n# Scan an entire skill directory\nsecurity_scan.py /path/to/skill-folder\n\n# Scan multiple skills\nsecurity_scan.py skills/\n\nWhat It Checks\nDangerous Imports\n\nDetects imports that could be used maliciously:\n\nos - System-level operations\nsubprocess - Command execution\nshutil - File operations\nsocket - Network operations\nurllib / requests - HTTP requests\n\nWhy dangerous? These imports enable system command execution, file manipulation, and network access that could be exploited.\n\nDangerous Functions\n\nDetects potentially unsafe function calls:\n\nos.system() - Executes shell commands\nsubprocess.call(), subprocess.run(), subprocess.Popen() - Command execution\neval() - Executes arbitrary code\nexec() - Executes arbitrary code\n\nWhy dangerous? These can execute arbitrary commands or code, leading to remote code execution vulnerabilities.\n\nHardcoded Secrets\n\nDetects tokens, keys, and passwords:\n\nAPI keys\nAuth tokens (including ClawHub tokens)\nPasswords\nPrivate keys\nJWT-like tokens\n\nWhy dangerous? Secrets leaked in published code can be stolen and abused.\n\nUnsafe File Operations\n\nDetects risky file access patterns:\n\nAbsolute file paths outside expected directories\nParent directory traversal (..)\nWriting to system directories\n\nWhy dangerous? Could lead to unintended file access, data loss, or system modification.\n\nUsage Pattern: Pre-Publish Checklist\n\nBefore publishing any skill:\n\n# 1. Run security scan\nsecurity_scan.py /path/to/skill\n\n# 2. Review any warnings\n# If warnings appear, fix the code or document why it's safe\n\n# 3. Re-scan after fixes\nsecurity_scan.py /path/to/skill\n\n# 4. Only publish if scan passes\nclawhub publish /path/to/skill --slug my-skill ...\n\nInterpretation of Results\n✅ \"No security issues found\"\n\nCode appears safe. Proceed with publishing.\n\n⚠️ \"Warning\" (Yellow)\n\nPotentially risky pattern detected. Review the specific line and decide:\n\nIs it legitimate? Document why in code comments or SKILL.md\nCan it be avoided? Refactor to safer alternatives\nIs it necessary? Clearly document the risk and purpose\n🔴 \"Possible hardcoded secret\"\n\nSecret detected. Before publishing:\n\nRemove the secret\nUse environment variables instead: os.getenv('API_KEY')\nDocument required env variables in SKILL.md\nNever commit real secrets\nExamples\nLegitimate os module usage (documented)\nimport os # Used only for path.join() - safe file path construction\nworkspace = os.path.join(os.path.expanduser(\"~\"), \".openclaw\", \"workspace\")\n\n\nScan result: ⚠️ Warning about os import Action: Document safe usage pattern in code comments\n\nHardcoded secret (must fix)\nAPI_KEY = \"sk-1234567890abcdef\" # DON'T DO THIS\n\n\nScan result: 🔴 Possible hardcoded secret Action: Remove and use environment variable:\n\nAPI_KEY = os.getenv(\"MY_SKILL_API_KEY\")\n# Document in SKILL.md: Requires MY_SKILL_API_KEY environment variable\n\nSafe pattern (no issues)\n# JSON storage for local data only\ndata = {\"notes\": [], \"metadata\": {}}\nwith open(\"data.json\", \"w\") as f:\n json.dump(data, f)\n\n\nScan result: ✅ No issues\n\nBest Practices\nAlways scan before publishing - Make it part of your workflow\nReview warnings manually - The scanner can't judge context\nUse environment variables for secrets - Never hardcode\nPrefer json over eval - Safe parsing vs code execution\nDocument necessary risks - If dangerous code is required, explain why\nMinimize dangerous imports - Only use what's truly necessary\nKeep code simple - Complex code is harder to audit\nIntegration with Development Workflow\nBefore committing to repo\n# Pre-commit hook concept\npython3 /path/to/security_scan.py scripts/\nif [ $? -ne 0 ]; then\n echo \"❌ Security scan failed. Fix issues before committing.\"\n exit 1\nfi\n\nAutomated pre-publish check\n#!/bin/bash\n# publish-safe.sh\n\nSKILL_PATH=$1\n\necho \"🔒 Running security scan...\"\npython3 /path/to/security_scan.py \"$SKILL_PATH\"\n\nif [ $? -ne 0 ]; then\n echo \"❌ Cannot publish: Security scan failed\"\n exit 1\nfi\n\necho \"✅ Security scan passed\"\nclawhub publish \"$SKILL_PATH\"\n\nLimitations\n\nThis scanner:\n\nCan't judge context - Some dangerous code may be legitimate\nStatic analysis only - Doesn't execute code\nPython-focused - Other languages need different tools\nBasic patterns - Sophisticated obfuscation may evade detection\n\nComplement with:\n\nManual code review\nTesting in isolated environment\nReading through all code before publishing\nUsing additional tools: bandit, safety\nTrust Building\n\nPublishing skills that pass security scans builds trust in the community:\n\nUsers know you care about safety\nYour reputation improves\nSkills get adopted more readily\nClawHub may highlight safe skills\nExamples of Published Skills (All Scanned)\n# research-assistant\nsecurity_scan.py /home/ubuntu/.openclaw/workspace/skills/research-assistant\n# ✅ All clear\n\n# task-runner \nsecurity_scan.py /home/ubuntu/.openclaw/workspace/skills/task-runner\n# ✅ All clear\n\n# security-checker\nsecurity_scan.py /home/ubuntu/.openclaw/workspace/skills/security-checker\n# ✅ All clear\n\n\nAll three skills passed security scans before publishing to ClawHub." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/johstracke/security-checker", "publisherUrl": "https://clawhub.ai/johstracke/security-checker", "owner": "johstracke", "version": "1.0.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/security-checker", "downloadUrl": "https://openagent3.xyz/downloads/security-checker", "agentUrl": "https://openagent3.xyz/skills/security-checker/agent", "manifestUrl": "https://openagent3.xyz/skills/security-checker/agent.json", "briefUrl": "https://openagent3.xyz/skills/security-checker/agent.md" } }