Skill Security Auditor
Audit skills for supply-chain, privilege, and automation risk before adoption.
Input
Required:
- -
skill_manifest — the skill's SKILL.md or metadata - INLINECODE1� — where the skill comes from (clawhub, git, local, unknown)
- INLINECODE2� — what permissions the skill requests
- INLINECODE3� — any shell/CLI commands referenced by the skill
- INLINECODE4� — environment variables the skill reads or writes
- INLINECODE5� — how the skill is installed / what it runs on install
Output Schema
CODEBLOCK0
Risk Levels
| Level | Criteria |
|---|
| low | Minimal permissions, no shell, no env secrets, known source |
| medium |
Some filesystem access or env usage, known source |
| high | Shell commands, broad permissions, or unknown source |
| critical | Opaque install scripts, secret access, eval/exec patterns |
Suspicious Actions to Flag
- -
eval, exec, Function() — code execution - INLINECODE9� /
wget with pipe to shell — remote code download - INLINECODE11� /
sudo — privilege escalation - Reading
~/.ssh, /etc/passwd, environment secrets - Network calls to unknown hosts
- Base64-encoded or obfuscated commands
- Install scripts that fetch from unknown URLs
Over-Privileged Points to Flag
- - Filesystem access beyond the skill's stated scope
- Broad
read permissions on entire directories - INLINECODE16� access to system paths
- Environment variables containing tokens/keys
- Network access not strictly needed for stated function
Source Trust Levels
| Source | Trust |
|---|
| ClawHub verified | medium (review anyway) |
| Known git repo |
medium |
| Local skill | high |
| Unknown URL | low |
| Copy-pasted code | very low |
Rules
- 1. Never default-approve high-privilege skills. Burden of proof is on the skill, not the auditor.
- Flag remote install scripts and opaque shell chains. If you can't see what runs, flag it.
- Flag access to secrets, env vars, filesystem, or network where not strictly needed.
- Recommend isolation for untrusted skills. Better safe than sorry.
Failure Handling
If source trust cannot be established:
- - Default to
risk_level = "high" minimum - Recommend
reject or �INLINECODE19 - Do not fabricate a clean audit
- Explicitly state what could not be verified
技能安全审计
在采用技能前,对其供应链、权限和自动化风险进行审计。
输入
必需项:
- - skillmanifest — 技能的 SKILL.md 或元数据
- sourcelocation — 技能来源(clawhub、git、本地、未知)
- requiredpermissions — 技能请求的权限
- shellcommands — 技能引用的任何 shell/CLI 命令
- envusage — 技能读取或写入的环境变量
- installsteps — 技能的安装方式/安装时运行的内容
输出模式
risk_level: low | medium | high | critical
suspicious_actions: {
action: string
location: string
severity: warning | critical
description: string
recommendation: string
}[]
overprivilegedpoints: {
permission: string
why_needed: string | null
why_excessive: string
recommendation: string
}[]
installrecommendation: approve | approvewithsandbox | reject | manualreview
sandbox_recommendation: {
recommended: boolean
isolation_level: none | process | network | full
reasons: string[]
} | null
audit_summary: string # 一段诚实总结
风险等级
| 等级 | 标准 |
|---|
| 低 | 最小权限,无 shell,无环境密钥,已知来源 |
| 中 |
部分文件系统访问或环境变量使用,已知来源 |
| 高 | Shell 命令,广泛权限,或未知来源 |
| 严重 | 不透明安装脚本,密钥访问,eval/exec 模式 |
需标记的可疑操作
- - eval、exec、Function() — 代码执行
- curl / wget 管道至 shell — 远程代码下载
- chmod +x / sudo — 权限提升
- 读取 ~/.ssh、/etc/passwd、环境密钥
- 向未知主机的网络调用
- Base64 编码或混淆的命令
- 从未知 URL 获取的安装脚本
需标记的过度权限点
- - 超出技能声明范围的文件系统访问
- 对整个目录的广泛 read 权限
- 对系统路径的 write 访问
- 包含令牌/密钥的环境变量
- 声明功能非严格必需的网络访问
来源信任等级
| 来源 | 信任度 |
|---|
| ClawHub 已验证 | 中(仍需审查) |
| 已知 Git 仓库 |
中 |
| 本地技能 | 高 |
| 未知 URL | 低 |
| 复制粘贴的代码 | 极低 |
规则
- 1. 切勿默认批准高权限技能。 举证责任在技能方,而非审计方。
- 标记远程安装脚本和不透明的 shell 链。 若无法查看运行内容,则标记。
- 标记非严格必需的密钥、环境变量、文件系统或网络访问。
- 建议对不可信技能进行隔离。 安全总比后悔好。
失败处理
若无法建立来源信任:
- - 默认最低 risklevel = high
- 建议 reject 或 manualreview
- 不捏造干净的审计结果
- 明确说明哪些内容无法验证
