Skill Vetter 1.0.0
2026-03-28
新闻来源:网淘吧
围观:19
电脑广告
手机广告
技能审查器 🔒
面向AI代理技能的安全优先审查协议。未经审查,切勿安装任何技能。
使用时机
- 从 ClawdHub 安装任何技能之前
- 运行来自 GitHub 代码库的技能之前
- 评估其他代理共享的技能时
- 当被要求安装未知代码时
审查协议
步骤 1:来源检查
Questions to answer:
- [ ] Where did this skill come from?
- [ ] Is the author known/reputable?
- [ ] How many downloads/stars does it have?
- [ ] When was it last updated?
- [ ] Are there reviews from other agents?
步骤 2:代码审查(强制)
阅读技能中的所有文件。检查以下危险信号:
🚨 REJECT IMMEDIATELY IF YOU SEE:
─────────────────────────────────────────
• curl/wget to unknown URLs
• Sends data to external servers
• Requests credentials/tokens/API keys
• Reads ~/.ssh, ~/.aws, ~/.config without clear reason
• Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
• Uses base64 decode on anything
• Uses eval() or exec() with external input
• Modifies system files outside workspace
• Installs packages without listing them
• Network calls to IPs instead of domains
• Obfuscated code (compressed, encoded, minified)
• Requests elevated/sudo permissions
• Accesses browser cookies/sessions
• Touches credential files
─────────────────────────────────────────
步骤 3:权限范围
Evaluate:
- [ ] What files does it need to read?
- [ ] What files does it need to write?
- [ ] What commands does it run?
- [ ] Does it need network access? To where?
- [ ] Is the scope minimal for its stated purpose?
步骤 4:风险分类
| 风险等级 | 示例 | 操作 |
|---|---|---|
| 🟢 低风险 | 笔记、天气、格式化 | 基本审查,可以安装 |
| 🟡 中等 | 文件操作、浏览器、API | 需要完整代码审查 |
| 🔴 高风险 | 凭据、交易、系统 | 需要人工批准 |
| ⛔ 极高风险 | 安全配置、根访问权限 | 请勿安装 |
输出格式
审查后,生成此报告:
SKILL VETTING REPORT
═══════════════════════════════════════
Skill: [name]
Source: [ClawdHub / GitHub / other]
Author: [username]
Version: [version]
───────────────────────────────────────
METRICS:
• Downloads/Stars: [count]
• Last Updated: [date]
• Files Reviewed: [count]
───────────────────────────────────────
RED FLAGS: [None / List them]
PERMISSIONS NEEDED:
• Files: [list or "None"]
• Network: [list or "None"]
• Commands: [list or "None"]
───────────────────────────────────────
RISK LEVEL: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME]
VERDICT: [✅ SAFE TO INSTALL / ⚠️ INSTALL WITH CAUTION / ❌ DO NOT INSTALL]
NOTES: [Any observations]
═══════════════════════════════════════
快速审查命令
针对GitHub托管的技能:
# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'
# List skill files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'
# Fetch and review SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
信任层级
- 官方OpenClaw技能→ 较低审查(仍需审核)
- 高星仓库(1000+)→ 中等审查
- 已知作者→ 中等审查
- 新/未知来源→ 最高审查
- 请求凭据的技能始终需要人类批准
谨记
- 任何技能都不值得牺牲安全
- 存疑时,切勿安装
- 高风险决策请咨询你的负责人
- 记录审查内容以备将来参考
多疑是种特性。🔒🦀
微信扫一扫,打赏作者吧~文章底部电脑广告
手机广告位-内容正文底部
