Skip to main content

Security-first static scanner for OpenClaw skills.

Project description

ClawAudit

ClawAudit 是一个面向 OpenClaw skill 生态的安全审计工具,覆盖静态扫描、运行时观测、目录展示和开发者工作流集成。

项目目标不是再做一个通用技能市场,而是补上 技能发现 -> 风险判断 -> 发布前审计 -> 版本变化追踪 这条链路中的信任层。

安装

发布版安装:

pip install kuiilabs-clawaudit

安装完成后仍然使用 clawaudit 这个命令。

本地开发安装:

python3 -m venv .venv
.venv/bin/python -m pip install -e '.[dev]'

快速开始

扫描一个本地 skill:

clawaudit scan ./my-skill

查看某条规则的详细说明:

clawaudit explain shell-exec

输出 JSON:

clawaudit scan ./my-skill --format json --no-persist

生成徽章:

clawaudit badge ./my-skill --format svg --output badge.svg

运行时观测:

clawaudit runtime-scan ./my-skill --format text

更完整的上手文档见 GETTING_STARTED.md

当前能力

静态扫描

  • 扫描本地目录、仓库 URL、带 #ref=<tag-or-branch> 的版本化 URL
  • 扫描 GitHub tree/<ref>/<subpath> 子目录链接
  • 批量扫描多个目标
  • 解析 SKILL.md 中的权限声明
  • 输出 textjsonmarkdownsarif
  • 支持 --fail-on--max-risk-score--enforce-policy
  • 支持 diffrelease-notesbadgediscover-targets

目录站与 API

  • FastAPI API
  • SQLite 报告存储
  • 技能列表页、详情页、手动扫描页
  • 历史 diff、badge、release notes 导出

运行时观测

  • runtime-scan
  • runtime_policyruntime_execution
  • 文件读写、环境变量、shell/subprocess、socket/HTTP 事件观测
  • local-subprocesslocal-isolated-copy runner
  • timeout 与策略阻断

本地开发

仓库内常用命令:

.venv/bin/clawaudit --version
.venv/bin/clawaudit scan ./tests/fixtures/safe_skill
.venv/bin/clawaudit explain shell-exec
.venv/bin/python -m unittest discover -s tests -v

运行 API 和 Web:

.venv/bin/clawaudit-api

或:

.venv/bin/python -m uvicorn services.api.app:app --reload

默认页面:

  • http://127.0.0.1:8000/
  • http://127.0.0.1:8000/scan

规则文档

规则说明现在拆分到了独立文件:

规则索引见 rules/README.md

示例仓库

仓库里已经补了一个本地样例集,可直接用于演示不同风险等级:

你可以直接扫描:

.venv/bin/clawaudit scan ./clawaudit-example-skill/safe-skill
.venv/bin/clawaudit scan ./clawaudit-example-skill/warning-skill
.venv/bin/clawaudit scan ./clawaudit-example-skill/high-risk-skill

文档索引

发布前检查

当前本地已经验证通过:

  • pip install -e .
  • clawaudit --version
  • clawaudit scan --help
  • clawaudit explain --help
  • python -m unittest discover -s tests -v
  • python -m build --no-isolation
  • python -m twine check dist/*

如果要继续做 TestPyPI / 正式 PyPI 发布,还需要可用的 TWINE_USERNAME / TWINE_PASSWORD 或 token。

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kuiilabs_clawaudit-0.1.1.tar.gz (53.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kuiilabs_clawaudit-0.1.1-py3-none-any.whl (49.2 kB view details)

Uploaded Python 3

File details

Details for the file kuiilabs_clawaudit-0.1.1.tar.gz.

File metadata

  • Download URL: kuiilabs_clawaudit-0.1.1.tar.gz
  • Upload date:
  • Size: 53.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for kuiilabs_clawaudit-0.1.1.tar.gz
Algorithm Hash digest
SHA256 8cf83a13e476221a69d7ebca36b9bcc61036c8b4bde90ef57162dc1b2f3338e0
MD5 5741a22c3d131134a7fa0e831ef00956
BLAKE2b-256 ba318ea13b6954873b20ae4b38bdeae36bd2376d1595af547e8f87b15d1c396f

See more details on using hashes here.

File details

Details for the file kuiilabs_clawaudit-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for kuiilabs_clawaudit-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 f68531aa0ac17fde76685872831c35dcc98223bc7039e0e6b7a15d6c2bab0076
MD5 b172988373bc985c117fa3995d107575
BLAKE2b-256 87b15493a42858dafb0772e9d4faa08d9af260092acbe501cde8fac5a0f79833

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page