๐ŸŽ Get the FREE AI Skills Starter Guide โ€” Subscribe โ†’
BytesAgainBytesAgain
๐Ÿฆ€ ClawHub

Agent Skills Tools

by @rongself

Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.

Versionv0.1.0
Downloads1,840
Installs6
TERMINAL
clawhub install agent-skills-tools

๐Ÿ“– About This Skill


name: agent-skills-tools description: > Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices. license: MIT metadata: openclaw: emoji: "๐Ÿ”’" category: "security"

Agent Skills Tools ๐Ÿ”’

Security and validation tools for the Agent Skills ecosystem.

Overview

This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.

Tools

1. Security Audit Tool (skill-security-audit.sh)

Scans skill packages for common security issues:

Checks:

  • ๐Ÿ” Credential leaks (hardcoded API keys, passwords, tokens)
  • ๐Ÿ“ Dangerous file access (~/.ssh, ~/.aws, ~/.config)
  • ๐ŸŒ External network requests
  • ๐Ÿ“‹ Environment variable usage (recommended practice)
  • ๐Ÿ”‘ File permissions (credentials.json)
  • ๐Ÿ“œ Git history for leaked secrets
  • Usage:

    ./skill-security-audit.sh path/to/skill
    

    Example output:

    ๐Ÿ”’ ๆŠ€่ƒฝๅฎ‰ๅ…จๅฎก่ฎกๆŠฅๅ‘Š๏ผšpath/to/skill
    ==========================================

    ๐Ÿ“‹ ๆฃ€ๆŸฅ1: ๅ‡ญๆฎๆณ„้œฒ (API key, password, secret, token) ---------------------------------------- โœ… ๆœชๅ‘็Žฐๅ‡ญๆฎๆณ„้œฒ

    ๐Ÿ“‹ ๆฃ€ๆŸฅ2: ๅฑ้™ฉ็š„ๆ–‡ไปถๆ“ไฝœ (~/.ssh, ~/.aws, ~/.config) ---------------------------------------- โœ… ๆœชๅ‘็Žฐๅฑ้™ฉ็š„ๆ–‡ไปถ่ฎฟ้—ฎ

    [... more checks ...]

    ========================================== ๐ŸŽฏ ๅฎ‰ๅ…จๅฎก่ฎกๅฎŒๆˆ

    Background

    eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.

    These tools help catch such vulnerabilities before they cause damage.

    Best Practices

    1. Never hardcode credentials - โŒ API_KEY="sk_live_abc123..." - โœ… Read from environment variables or config files

    2. Use environment variables

       export MOLTBOOK_API_KEY="sk_live_..."
       
       import os
       api_key = os.environ.get('MOLTBOOK_API_KEY')
       

    3. Check Git history

       git log -S 'api_key'
       git-secrets --scan-history
       

    4. Add sensitive files to .gitignore

       credentials.json
       *.key
       .env
       

    License

    MIT

    ๐Ÿ“‹ Tips & Best Practices

    1. Never hardcode credentials - โŒ API_KEY="sk_live_abc123..." - โœ… Read from environment variables or config files

    2. Use environment variables

       export MOLTBOOK_API_KEY="sk_live_..."
       
       import os
       api_key = os.environ.get('MOLTBOOK_API_KEY')
       

    3. Check Git history

       git log -S 'api_key'
       git-secrets --scan-history
       

    4. Add sensitive files to .gitignore

       credentials.json
       *.key
       .env