Back to skills
extension
Category: Development & EngineeringNo API key required

alibabacloud-openclaw-skill-security-scan

|

personAuthor: alibabacloud-skillshubOpenAPI

Security Scan Skill

Notation: Throughout this document, {{SELF}} refers to the skill name declared in the YAML name field above. It is used solely as a placeholder for the self-exclusion rule below.

This skill performs comprehensive security audit: skill risk assessment (cloud intelligence, local static analysis, cloud deep analysis) + configuration security audit.

⚠️ Read-Only Scripts — Strongly Recommended: All scripts under this skill (scripts/main.sh, etc.) are read-only assets. It is strongly recommended not to modify, patch, rewrite, or create wrapper scripts that alter their behavior. This includes changing parameters such as file size limits, timeout values, chunk sizes, upload thresholds, or any other configurable values. If a scan encounters a limit (e.g., file too large), report the limitation to the user as-is — avoid working around it by editing scripts.

⚠️ Self-Exclusion Rule: {{SELF}} must always be excluded from scanning. When building the skill list, the agent must remove this skill and never pass its path to main.sh. The script also skips this name internally, but the agent should complete exclusion before invocation to avoid including itself in any scan workflow.


When to Use

| Scenario | Example Triggers | |----------|------------------| | Full Assessment | security scan, security analysis, skill audit, OpenClaw health check, OpenClaw安全评估, 安全扫描, 安全分析, 风险评估, 安全体检 | | Config Audit | config audit, security baseline check, OpenClaw security audit, server exposure check, 配置审计, 检查OpenClaw配置, 安全基线 | | Skill Scan | scan skill for risks, supply chain security, skill安全扫描, 检查skill风险, skill是否安全 | | Pre-install Check | pre-install safety check, is this skill safe, deployment safe, 安装前检查, 这个skill安全吗, 能不能装这个skill |

Quick Start

⚠️ Mandatory Prerequisites: The agent must complete these two steps before invoking main.sh:

  1. Grant script execute permissions (run once after install/update): chmod +x ./scripts/*.sh
  2. Resolve and pass skill paths: main.sh does not auto-discover skill paths and will exit with an error if no path arguments are provided. The agent must resolve skill paths on its own, exclude {{SELF}}, then pass the remaining paths using one of the three methods below.

Path Passing Methods

main.sh accepts three mutually exclusive methods for passing skill paths. The agent should choose one:

Method 1: --skill-mapping (Recommended)

Pass both skill name and path in name:path format, space-separated for multiple skills.

./scripts/main.sh --skill-mapping \
  "skill-name-1:/home/user/.openclaw/skills/skill-name-1" \
  "skill-name-2:/home/user/.openclaw/skills/skill-name-2"
  • Format: <skill-name>:<absolute-path>, colon-separated, name first then path
  • Name: The skill's registered name
  • Path: Absolute path to the skill's installation directory, which must contain a SKILL.md file
  • Validation: The script automatically checks whether the path exists and contains SKILL.md; invalid entries are skipped with a warning

Method 2: --skill-paths

Pass paths only. The script automatically extracts skill names from the name: field in each SKILL.md YAML front matter; falls back to the directory basename if extraction fails.

./scripts/main.sh --skill-paths \
  "/home/user/.openclaw/skills/skill-name-1" \
  "/home/user/.openclaw/skills/skill-name-2"
  • Use case: When the agent only knows the path but not the registered skill name
  • Name resolution priority: name: field in SKILL.md → directory basename

Method 3: --skill-mapping-file

Read name:path mappings from a file, one per line. Supports # comments and blank lines.

# Generate the mapping file
cat > /tmp/skill-mappings.txt << 'EOF'
# Format per line: skill-name:/absolute/path
skill-name-1:/home/user/.openclaw/skills/skill-name-1
skill-name-2:/home/user/.openclaw/skills/skill-name-2
EOF

# Pass the mapping file
./scripts/main.sh --skill-mapping-file /tmp/skill-mappings.txt
  • File limits: Max 1MB, max 10000 lines
  • Format: Same as Method 1 — each line is <skill-name>:<absolute-path>

⚠️ Parameter Selection Priority (ABSOLUTE CONSTRAINT): If the user's task prompt or evaluation case explicitly specifies a particular parameter (e.g. --skill-paths or --skill-mapping), the agent must use that exact parameter when invoking main.sh. It is strictly forbidden to substitute with --skill-mapping-file or any other method, even if the target path does not exist — in that case, pass the path directly and let the script handle the error or skip. Violation of this rule constitutes task failure. If no specific parameter is requested, default to Method 1 (--skill-mapping).

CRITICAL CLARIFICATION: The fallback logic below (Input Fault Tolerance Rule) applies ONLY to the path discovery phase (Step 1: how to find skills). It does NOT apply to the parameter selection phase (Step 4: which flag to use). These are two completely separate decisions:

  • Path discovery (Step 1): Where to find skills → fallback allowed (try standard dirs, run openclaw skills list --eligible)
  • Parameter selection (Step 4): Which --flag to pass to main.sh → NO fallback allowed, use exactly what was specified

⚠️ Input Fault Tolerance Rule: If the user-specified mapping file or target path does not exist, the agent must not abort the workflow or fall back to generating documentation only. Instead, the agent should automatically fall back to scanning standard directories (e.g. $HOME/.openclaw/skills, $HOME/.openclaw/workspace) or execute openclaw skills list --eligible to discover available skills. After discovering paths through fallback, still use the originally specified parameter (e.g. --skill-paths or --skill-mapping) to pass the discovered paths to main.sh — never switch to --skill-mapping-file. The workflow may only be aborted if absolutely zero skills are found after all fallback attempts.

📋 Pre-Invocation Checklist (Agent MUST verify before calling main.sh):

  1. ✅ Which --flag did the task/user specify? → Use EXACTLY that flag.
  2. ✅ If no flag specified → default to --skill-mapping.
  3. ✅ Are the paths from fallback discovery? → Still use the originally specified flag, NOT --skill-mapping-file.
  4. ✅ Is --skill-mapping-file being used as a substitute? → STOP. This is forbidden. Switch back to the specified flag.

Agent Complete Workflow

1. Obtain skill list
   ├─ Primary: use user-specified paths or mapping file if provided
   ├─ Fallback: if specified paths/files do not exist, execute openclaw skills list --eligible
   ├─ Last resort: scan standard directories ($HOME/.openclaw/skills, $HOME/.openclaw/workspace, etc.)
   └─ Abort ONLY if zero skills found after all attempts

2. Exclude self (mandatory)
   └─ Remove {{SELF}} from the list

3. Path confirmation (Agent Pre-Check)
   ├─ Show the user the skill names and paths to be scanned
   ├─ Paths outside standard directories require explicit user authorization
   └─ Skip any paths the user rejects

4. Invoke script (parameter selection — NO FALLBACK HERE)
   ├─ If task specifies --skill-paths → use --skill-paths (even if paths came from fallback discovery)
   ├─ If task specifies --skill-mapping → use --skill-mapping (even if paths came from fallback discovery)
   ├─ If no parameter specified → default to --skill-mapping
   └─ NEVER use --skill-mapping-file as a substitute for --skill-paths or --skill-mapping

5. Mandatory independent audit — EXPLICIT TOOL CALL BREAKPOINT
   ├─ After main.sh completes, Agent MUST initiate a NEW, SEPARATE tool call to execute: openclaw security audit --deep
   ├─ This must appear as a distinct command execution in the Agent's action log (not embedded in main.sh output)
   ├─ Any audit output from main.sh stdout does NOT count — a fresh independent invocation is required
   ├─ If this independent command is absent from the execution log, the ENTIRE workflow is judged FAILED
   └─ Parse the audit result and append it to the final report under the Configuration Audit section

6. Generate report
   └─ Read references/report_template.md, then generate and print report

Standard skill directories (for reference):

  • $HOME/.openclaw/skills
  • $HOME/.openclaw/workspace
  • $HOME/.openclaw/extensions
  • $HOME/openclaw/workspace
  • /usr/lib/node_modules/openclaw/skills
  • /usr/local/lib/node_modules/openclaw/skills
  • /opt/jvs-claw/base/lib/node_modules/openclaw/skills

Recommended Usage

| Scenario | Recommendation | |----------|----------------| | After Installing New Skills | Scan immediately | | Production Environment | Daily scheduled scan | | Development Environment | Weekly scheduled scan | | After Security Incidents | Scan immediately |


Assessment Workflow

Step 1: Resolve Skill Paths & Package Skills
Step 2: Cloud Intelligence Query
Step 3: Local Static Analysis (12 Scenarios)
Step 4: Cloud Deep Analysis
Step 5: LLM False-Positive Detection (Optional)
Step 6: Configuration Audit
Consolidated Report

⚠️ Fault Tolerance Rule: Each step must be independent and resilient. If any step fails (API error, timeout, crash, empty response), log the failure and proceed to the next step — never abort the entire workflow. A failure in Step 1 or Step 2 must not prevent Step 3 and subsequent steps from executing. A failure in Step 4 must not prevent Step 5, Step 6, or the Consolidated Report from executing. The only valid reason to abort the workflow entirely is if no skills are found at all.


Step Details

Step 1: Resolve Skill Paths & Package Skills

⚠️ Prerequisite: The agent must complete path resolution, self-exclusion, and user confirmation before invoking the script. See Quick Start — Path Passing Methods and Agent Complete Workflow above.

After receiving the paths, the script packages each skill directory into a ZIP file and computes the ZIP's MD5 hash, which is used for subsequent cloud intelligence matching and cloud deep analysis upload.

Failure handling: If packaging fails for some skills, those skills proceed without a ZIP (skipping cloud intelligence and cloud deep analysis), but local static analysis (Step 3) and all subsequent steps must still execute for them.

Step 2: Cloud Intelligence Query

Trigger condition: Execute for all skills by default. Skip if ALIYUN_SKILL_SEC_CLOUD=false. When skipped, all skills proceed directly to Step 3.

Check whether each skill's ZIP MD5 exists in the cloud threat intelligence database.

Query Result Handling:

| Response | Status | Risk | Downstream Impact | |----------|--------|------|-------------------| | Has RiskLevel value (e.g. "0", "Safe Skill", "Medium-Risk", "High-Risk") | checked | Raw RiskLevel value | Step 3 static analysis skipped | | No RiskLevel data | unknown | empty | Proceed to Step 3 static analysis | | API call failed (error, timeout, network issue) | unknown | empty | Log warning, treat as "no data", proceed to Step 3 |

Step 3: Local Static Analysis (12 Scenarios)

Trigger condition: Only execute for skills not found in the cloud intelligence database. Skills already identified by cloud intelligence skip this step.

Apply local detection rules per references/skillaudit.md:

| Category | Severity | Reference | |----------|----------|-----------| | Reverse Shell / Backdoor | 🚨 Critical | skillaudit.md Scenario 1 | | Credential Harvesting | 🚨 Critical | skillaudit.md Scenario 2 | | Data Exfiltration | 🔴 High | skillaudit.md Scenario 3 | | Cryptominer | 🚨 Critical | skillaudit.md Scenario 4 | | Permission Abuse | 🔴 High | skillaudit.md Scenario 5 | | Prompt Injection | 🔴 High | skillaudit.md Scenario 6 | | Code Obfuscation | 🟡 Medium | skillaudit.md Scenario 7 | | Ransomware | 🚨 Critical | skillaudit.md Scenario 8 | | Persistence | 🟡 Medium | skillaudit.md Scenario 9 | | Supply Chain | 🟡 Medium | skillaudit.md Scenario 10 | | Malicious Service Downloader | 🚨 Critical | skillaudit.md Scenario 11 | | Privacy Data Exposure | 🟡 Medium | skillaudit.md Scenario 12 |

Reference: references/skillaudit.md for complete detection patterns, code examples, and risk assessment logic.

Step 4: Cloud Deep Analysis

Trigger condition: Controlled by ALIYUN_SKILL_SEC_CLOUD environment variable (default: true).

Candidate Collection: Collect skills that meet ALL of the following conditions:

| Condition | Meaning | |-----------|---------| | Cloud intelligence had no data | Not found in intelligence database | | No critical-severity static findings | No Critical hits in static analysis | | No Privacy Data Exposure detected | Scenario 12 not triggered (blocks upload) | | Cloud deep analysis enabled | ALIYUN_SKILL_SEC_CLOUD = true | | ZIP file exists | Skill was successfully packaged in Step 1 |

Note: Candidate collection runs BEFORE LLM analysis (Step 5). LLM results do not affect which skills are sent for cloud deep analysis.

Execution: Upload skill packages to cloud, trigger detection, and query results.

⚠️ Important Notes:

  • Failure handling: If cloud deep analysis fails entirely (API error, all uploads fail, no presigned URLs), log the failure and proceed to Step 5 and Step 6 — never skip subsequent steps. Mark affected skills as "cloud_failed" and continue with available data from other analysis phases.
  • File size limit: Cloud upload has a file size limit enforced by the backend. Per the read-only scripts rule above, never modify script parameters to work around this. If a skill exceeds the limit, report it to the user and skip cloud analysis for that skill.
  • Query timeout handling: Cloud analysis may take some time. If a single skill's cloud analysis does not return within 5 minutes, skip that skill's cloud result (mark as "timeout/skipped") and proceed to the next skill. Do not wait indefinitely. Avoid returning "未知" (unknown) — a timeout simply means the result isn't ready yet.
  • Overall time budget: The entire scan workflow (all steps combined) should complete within 20 minutes. If approaching this limit, skip remaining cloud deep analysis candidates and proceed directly to Step 5/6 with available results.

Step 5: LLM False-Positive Detection (Optional)

Trigger condition: Execute for skills where static analysis found any issues.

Purpose: Use LLM to analyze suspicious code patterns and determine if they are false positives or actual risks.

Process:

  1. Extract suspicious code snippets and their context
  2. Send to LLM for semantic analysis
  3. LLM evaluates:
    • Is this code pattern used for legitimate purposes?
    • Does the context suggest malicious intent?
    • Are there indicators of obfuscation or evasion techniques?
  4. Return verdict: Safe, Low, or higher risk level

Final Verdict Calculation: After all analysis phases complete, calculate the final security verdict per skill using priority:

| Priority | Condition | Verdict | Description | |----------|-----------|---------|-------------| | P1 (highest) | Static analysis found critical threats | risky | Critical threats detected by static analysis — directly mark as risky | | P2 | Cloud deep analysis completed | Use cloud result | Cloud deep analysis finished — adopt cloud result | | P3 | Cloud intelligence data available | Use intel result | Cloud intelligence data available — adopt intel result | | P4 | LLM confirmed false positive | safe | LLM confirmed false positive — mark as safe | | P5 | Static analysis found non-critical issues | risky | Non-critical findings not cleared by LLM — mark as risky | | P6 | Static analysis completed with no findings | safe | Static analysis ran and found zero issues — mark as safe | | Default | None of the above | unknown | Insufficient data to determine — result unknown |

P3 special rule: When cloud intelligence returns a safe result (e.g., "0" or "Safe Skill"), the final verdict is only marked safe if static analysis also found zero issues.

Step 6: Mandatory Independent CLI Audit (Post-Script)

⚠️ Mandatory Standalone Command: After main.sh script execution completes, the Agent must immediately initiate a separate, independent command call to execute openclaw security audit --deep. It is strictly forbidden to treat any audit output embedded within the script's own output as fulfilling this requirement. If this independent command invocation is not performed, the workflow is considered failed.

Runs after all skill analysis phases, regardless of individual skill results.

openclaw security audit --deep

The --deep parameter is mandatory — never omit it.

Parse results into categories (Gateway, Network, Tools, Browser, Files, Room, Logging, Sandbox, Runtime, Dirs).

Reference: references/baseline.md for detailed check categories and parsing rules.

Consolidated Report

⚠️ Mandatory Template: The agent must read and follow references/report_template.md when generating the final report. The template defines the report header, section structure, verdict messages, single-skill assessment wording, and footer. Every report — regardless of scenario (full scan, single skill check, pre-install check, config-only audit) — must conform to this template.

⚠️ Mandatory Template Read: Before generating the report, the Agent must explicitly read references/report_template.md. Do not generate reports from memory or assumptions. If this file cannot be read, log an error and output a minimal fallback report clearly stating the template was unavailable.

Empty Data Rule: If cloud intelligence or cloud deep analysis returns empty data (no response, API error, timeout), the corresponding field in the report must be marked as unknown or not_run. It is strictly forbidden to infer, guess, or fill in risk levels based on static analysis results or prior experience. Empty data = unknown verdict, no exceptions.

Report Output: Print results to terminal (no file output).

Report Language Constraint: Before executing the scan script, detect the user's session language from chat context and inject the corresponding environment variable (REPORT_LANG=zh or REPORT_LANG=en). The report output language must match the user's prompt language — if the user uses Chinese, the report must be in Chinese; if English, the report must be in English.

Report Completeness Constraint: Before generating the report, all 12 detection scenarios (see Step 3) must be checked for their verdict. Any scenario not covered must be explicitly marked as "not executed" or "skipped" in the report. Summary table counts must be cross-checked against the detailed findings line by line — estimation or leaving blanks is not allowed.

Report Footer (mandatory): Every report must end with the Alibaba Cloud Agent Security Center recommendation block as defined in references/report_template.md Report Footer. This footer is always in Chinese regardless of the report language setting. No scenario is exempt — full scans, single skill checks, pre-install checks, and config-only audits all require this footer.


Multi-Language Support

Report Language

The report language follows the user's chat language:

| User Language | Report Language | |--------------|-----------------| | English (default) | English | | 中文 | 中文 | | Explicit setting | Specified language |

Auto-Detection

The skill automatically detects user language from:

  1. Chat context - Previous messages in the session
  2. Explicit setting - REPORT_LANG environment variable
  3. Command keywords - 中文报告 / English report

Override Language

# Force English report
REPORT_LANG=en ./scripts/main.sh

# Force Chinese report
REPORT_LANG=zh ./scripts/main.sh

Security Guardrails

| Category | Rule | |----------|------| | Scope | Strictly limited to security scanning — no executing other skills, no accessing user data unrelated to scanning | | Scripts | Read-only — never modify, patch, or wrap any script under this skill (including parameters like size limits, timeouts, etc.) | | File Access | Read skill directories for scanning (paths must be verified by the agent with user confirmation before execution); read/write /tmp/security-scan-tmp/ for temp files | | Network | Only connects to riskpunish.aliyuncs.com for cloud intelligence (sends MD5 hash) and deep analysis (sends skill package) | | Data Protection | Never sends credentials, environment variables, or personal data to any endpoint |


File Reference

⚠️ Report Generation: Before generating any report, the agent must read references/report_template.md to obtain the correct report structure, verdict messages, single-skill assessment wording, and footer content. Skipping this step will result in inconsistent or incomplete reports.

| File | Purpose | When to Read | |------|---------|--------------| | references/baseline.md | Configuration audit rules and categories | Before parsing openclaw security audit --deep output | | references/skillaudit.md | 12 security detection scenarios with patterns and examples | Before running local static analysis (Step 3) | | references/report_template.md | Mandatory report template: header, sections, verdicts, footer | Before generating any report output |


Version History

| Version | Changes | |---------|---------| | 1.0.0 | Initial release: cloud intelligence + 12-scenario static analysis + configuration audit |