skill-security-auditor
Skill Security Auditor
基于《OpenClaw 极简安全实践指南》和《安全验证与攻防演练手册》的 Skill 安全审计工具。对 OpenClaw Skill 进行从源码到运行时的全生命周期安全审查,覆盖供应链投毒、Prompt 注入载荷、恶意代码模式、权限越权等威胁向量。
Purpose
OpenClaw Skills 是 Agent 能力的扩展机制,通过 /workspace/skills/{skill_name}/SKILL.md 被 Agent 加载执行。恶意 Skill 可以:
- 通过 Prompt 注入劫持 Agent 行为
- 在代码块中嵌入反弹 Shell、数据外传命令
- 引用恶意外部依赖进行供应链攻击
- 通过 Unicode 混淆、零宽字符隐藏恶意指令
本技能为 Skill 的安装和更新提供安全门禁,在 Skill 进入生产环境前完成安全审查。
Prerequisites
输入要求
- 目标 Skill 目录路径(包含
SKILL.md和references/等) - 或 Skill 的远程仓库 URL(用于拉取审计)
More from jd-opensource/joysafeter
pentest-osint-recon
Open Source Intelligence gathering and attack surface management for external reconnaissance.
89pentest-mobile-app
OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.
59pentest-api-deep
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
58pentest-exploit-validation
Proof-driven exploitation with 4-level evidence system, bypass exhaustion protocol, mandatory evidence checklists, and strict EXPLOITED/POTENTIAL/FALSE_POSITIVE classification.
54pentest-ai-llm-security
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
54pentest-secrets-exposure
Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
52