shield_lock
金大哥
返回 Skill 列表
extension
分类: 安全与合规无需 API Key

Skill Audit

在安装或执行前,对第三方AI技能或插件仓库进行确定性静态安全审计。当需要扫描技能仓库时使用,...

person作者: modeioaihubclawhub
open_in_new仓库download下载资源包

Run pre-install repository safety audits

Use this skill to evaluate a skill, plugin, or repository before you install it, trust it, or recommend it.

This skill is for static evidence-backed auditing only. It does not execute code, install dependencies, or run hooks in the target repository.

Maintainer-only validation and benchmark assets are excluded from ClawHub uploads.

Scope

  • Included:
    • deterministic repository audit through evaluate / scan
    • prompt payload generation through prompt
    • evidence-linkage checks through validate
    • context-aware merge flow through adjudicate
  • Not included:
    • code execution inside the target repository
    • dependency installation or hook execution in the target repository
    • benchmark helper workflows as the normal published runtime path

Working directory

Run these commands from inside the skill-audit folder.

Requirements

  • Hard requirement: python3
  • Optional enhancement: git for commit metadata and GitHub-origin discovery
  • Optional enhancement: GITHUB_TOKEN for higher GitHub API rate limits

Core commands

Installed entrypoint:

skill-audit evaluate --target-repo /path/to/repo --json > /tmp/skill_scan.json
skill-audit prompt --target-repo /path/to/repo --scan-file /tmp/skill_scan.json --include-full-findings
skill-audit validate --scan-file /tmp/skill_scan.json --assessment-file /tmp/assessment.md --json
skill-audit adjudicate --scan-file /tmp/skill_scan.json --assessment-file /tmp/adjudication.json --json

Repo-local wrapper:

python3 scripts/skill_safety_assessment.py evaluate --target-repo /path/to/repo --json > /tmp/skill_scan.json
python3 scripts/skill_safety_assessment.py prompt --target-repo /path/to/repo --scan-file /tmp/skill_scan.json --include-full-findings
python3 scripts/skill_safety_assessment.py validate --scan-file /tmp/skill_scan.json --assessment-file /tmp/assessment.md --json
python3 scripts/skill_safety_assessment.py adjudicate --scan-file /tmp/skill_scan.json --assessment-file /tmp/adjudication.json --json

Compatibility alias:

python3 scripts/skill_safety_assessment.py scan --target-repo /path/to/repo --json > /tmp/skill_scan.json

Runtime notes

  • evaluate always attempts the GitHub OSINT precheck first when the target repository has a GitHub origin
  • evaluate intentionally skips target-repo tests/ and fixture paths so the result stays focused on installable runtime surfaces
  • prompt should follow a deterministic scan; validate checks model-written output against scan evidence; adjudicate handles context-sensitive merge decisions
  • scripts/run_repo_set.py is a maintainer benchmark helper and is not part of the normal ClawHub runtime flow
  • Use --json whenever you want the full deterministic report with integrity, scoring, highlights, and findings

References

  • references/architecture.md — package layout and scan pipeline.
  • references/prompt-contract.md — strict prompt contract for model-assisted review.
  • references/output-contract.md — JSON/report contract and compatibility expectations.

When not to use

  • Live execution-time safety checks for commands or operations
  • Content transformation tasks that need to mask, rewrite, or restore sensitive data
  • Local routing or middleware scenarios where requests must flow through a gateway