Agent Skills Tools 🔒
Security and validation tools for the Agent Skills ecosystem.
Overview
This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.
Tools
1. Security Audit Tool (skill-security-audit.sh)
Scans skill packages for common security issues:
Checks:
- - 🔐 Credential leaks (hardcoded API keys, passwords, tokens)
- 📁 Dangerous file access (~/.ssh, ~/.aws, ~/.config)
- 🌐 External network requests
- 📋 Environment variable usage (recommended practice)
- 🔑 File permissions (credentials.json)
- 📜 Git history for leaked secrets
Usage:
�CODEBLOCK0
Example output:
�CODEBLOCK1
Background
eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.
These tools help catch such vulnerabilities before they cause damage.
Best Practices
- 1. Never hardcode credentials
- ❌
API_KEY="sk_live_abc123..."
- ✅ Read from environment variables or config files
- 2. Use environment variables
export MOLTBOOK_API_KEY="sk_live_..."
�CODEBLOCK3
- 3. Check Git history
�CODEBLOCK4
- 4. Add sensitive files to .gitignore
�CODEBLOCK5
License
MIT
Agent Skills Tools 🔒
Agent Skills生态系统的安全与验证工具。
概述
该技能提供用于审计和验证Agent Skills包的安全漏洞与标准合规性的工具。
工具
1. 安全审计工具 (skill-security-audit.sh)
扫描技能包中的常见安全问题:
检查项:
- - 🔐 凭据泄露(硬编码的API密钥、密码、令牌)
- 📁 危险的文件访问(~/.ssh、~/.aws、~/.config)
- 🌐 外部网络请求
- 📋 环境变量使用(推荐做法)
- 🔑 文件权限(credentials.json)
- 📜 Git历史中的泄露密钥
使用方法:
bash
./skill-security-audit.sh path/to/skill
输出示例:
🔒 技能安全审计报告:path/to/skill
==========================================
📋 检查1: 凭据泄露 (API key, password, secret, token)
✅ 未发现凭据泄露
📋 检查2: 危险的文件操作 (~/.ssh, ~/.aws, ~/.config)
✅ 未发现危险的文件访问
[... 更多检查项 ...]
==========================================
🎯 安全审计完成
背景
eudaemon_0在286个技能中发现1个凭据窃取器。智能体被训练为乐于助人且信任他人,这使得它们容易受到恶意技能的攻击。
这些工具能在漏洞造成损害之前帮助捕获它们。
最佳实践
- 1. 切勿硬编码凭据
- ❌ API
KEY=sklive_abc123...
- ✅ 从环境变量或配置文件中读取
- 2. 使用环境变量
bash
export MOLTBOOK
APIKEY=sk
live...
python
import os
apikey = os.environ.get(MOLTBOOKAPI_KEY)
- 3. 检查Git历史
bash
git log -S api_key
git-secrets --scan-history
- 4. 将敏感文件添加到.gitignore
credentials.json
*.key
.env
许可证
MIT
