agent-skills-toolsSecurity audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.
Install via ClawdBot CLI:
clawdbot install rongself/agent-skills-toolsSecurity and validation tools for the Agent Skills ecosystem.
This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.
Scans skill packages for common security issues:
Checks:
Usage:
./skill-security-audit.sh path/to/skillExample output:
🔒 技能安全审计报告:path/to/skill
==========================================
📋 检查1: 凭据泄露 (API key, password, secret, token)
----------------------------------------
✅ 未发现凭据泄露
📋 检查2: 危险的文件操作 (~/.ssh, ~/.aws, ~/.config)
----------------------------------------
✅ 未发现危险的文件访问
[... more checks ...]
==========================================
🎯 安全审计完成eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.
These tools help catch such vulnerabilities before they cause damage.
API_KEY="sk_live_abc123..."
export MOLTBOOK_API_KEY="sk_live_..."
import os
api_key = os.environ.get('MOLTBOOK_API_KEY')
git log -S 'api_key'
git-secrets --scan-history
credentials.json
*.key
.envMIT
Generated Mar 1, 2026
An AI platform provider uses this tool to scan all third-party skill submissions before making them available in their marketplace. This prevents malicious skills from reaching users and maintains platform security standards. Regular audits ensure existing skills remain compliant after updates.
A financial institution implements AI agents with custom skills for customer service. The security team uses this tool to validate all skills before deployment, checking for credential leaks and unauthorized file access. This ensures compliance with financial regulations and protects sensitive customer data.
Independent skill developers use this tool during their development workflow to catch security issues before submitting skills to marketplaces. The automated checks help maintain reputation by ensuring skills follow security best practices and avoid common vulnerabilities.
A university research lab studying AI agent ecosystems uses this tool to analyze skill packages for security patterns. The audit reports help identify common vulnerabilities in open-source skills and inform security education for AI developers.
A tech company integrates this tool into their CI/CD pipeline to automatically scan AI skill packages during build processes. Failed security audits block deployment, ensuring only validated skills reach production environments and maintaining security posture.
Offer the audit tool as a cloud service where developers submit skill packages for scanning via API. Charge monthly subscriptions based on scan volume and provide detailed compliance reports. Enterprise tiers could include custom rule sets and SLA guarantees.
License the tool to AI skill marketplaces who integrate it into their submission review process. Charge annual licensing fees based on marketplace size and transaction volume. Provide white-label options for marketplace branding.
Bundle this tool with other security products for AI/ML deployments. Sell as part of a comprehensive security suite that includes monitoring, compliance reporting, and incident response. Target large organizations deploying multiple AI agents.
💬 Integration Tip
Integrate the audit script into your CI/CD pipeline using a simple bash command, and configure it to fail builds when critical vulnerabilities are detected to enforce security standards automatically.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.