Agent Skills Tools
by @rongself
Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.
clawhub install agent-skills-tools๐ About This Skill
name: agent-skills-tools description: > Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices. license: MIT metadata: openclaw: emoji: "๐" category: "security"
Agent Skills Tools ๐
Security and validation tools for the Agent Skills ecosystem.
Overview
This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.
Tools
1. Security Audit Tool (skill-security-audit.sh)
Scans skill packages for common security issues:
Checks:
Usage:
./skill-security-audit.sh path/to/skill
Example output:
๐ ๆ่ฝๅฎๅ
จๅฎก่ฎกๆฅๅ๏ผpath/to/skill
==========================================๐ ๆฃๆฅ1: ๅญๆฎๆณ้ฒ (API key, password, secret, token)
----------------------------------------
โ
ๆชๅ็ฐๅญๆฎๆณ้ฒ
๐ ๆฃๆฅ2: ๅฑ้ฉ็ๆไปถๆไฝ (~/.ssh, ~/.aws, ~/.config)
----------------------------------------
โ
ๆชๅ็ฐๅฑ้ฉ็ๆไปถ่ฎฟ้ฎ
[... more checks ...]
==========================================
๐ฏ ๅฎๅ
จๅฎก่ฎกๅฎๆ
Background
eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.
These tools help catch such vulnerabilities before they cause damage.
Best Practices
1. Never hardcode credentials
- โ API_KEY="sk_live_abc123..."
- โ
Read from environment variables or config files
2. Use environment variables
export MOLTBOOK_API_KEY="sk_live_..."
import os
api_key = os.environ.get('MOLTBOOK_API_KEY')
3. Check Git history
git log -S 'api_key'
git-secrets --scan-history
4. Add sensitive files to .gitignore
credentials.json
*.key
.env
License
MIT
๐ Tips & Best Practices
1. Never hardcode credentials
- โ API_KEY="sk_live_abc123..."
- โ
Read from environment variables or config files
2. Use environment variables
export MOLTBOOK_API_KEY="sk_live_..."
import os
api_key = os.environ.get('MOLTBOOK_API_KEY')
3. Check Git history
git log -S 'api_key'
git-secrets --scan-history
4. Add sensitive files to .gitignore
credentials.json
*.key
.env