Audit skills for supply-chain, privilege, and automation risk before adoption.
Required:
skill_manifest — the skill's SKILL.md or metadatasource_location — where the skill comes from (clawhub, git, local, unknown)required_permissions — what permissions the skill requestsshell_commands — any shell/CLI commands referenced by the skillenv_usage — environment variables the skill reads or writesinstall_steps — how the skill is installed / what it runs on installrisk_level: "low" | "medium" | "high" | "critical"
suspicious_actions: {
action: string
location: string
severity: "warning" | "critical"
description: string
recommendation: string
}[]
over_privileged_points: {
permission: string
why_needed: string | null
why_excessive: string
recommendation: string
}[]
install_recommendation: "approve" | "approve_with_sandbox" | "reject" | "manual_review"
sandbox_recommendation: {
recommended: boolean
isolation_level: "none" | "process" | "network" | "full"
reasons: string[]
} | null
audit_summary: string # one paragraph honest summary
| Level | Criteria |
|---|---|
| ------- | ---------- |
| low | Minimal permissions, no shell, no env secrets, known source |
| medium | Some filesystem access or env usage, known source |
| high | Shell commands, broad permissions, or unknown source |
| critical | Opaque install scripts, secret access, eval/exec patterns |
eval, exec, Function() — code executioncurl / wget with pipe to shell — remote code downloadchmod +x / sudo — privilege escalation~/.ssh, /etc/passwd, environment secretsread permissions on entire directorieswrite access to system paths| Source | Trust |
|---|---|
| -------- | ------- |
| ClawHub verified | medium (review anyway) |
| Known git repo | medium |
| Local skill | high |
| Unknown URL | low |
| Copy-pasted code | very low |
If source trust cannot be established:
risk_level = "high" minimumreject or manual_review共 1 个版本