Skip to main content

Security-first static scanner for OpenClaw skills.

Project description

ClawAudit

ClawAudit 是一个面向 OpenClaw skill 生态的安全审计工具,覆盖静态扫描、运行时观测、目录展示和开发者工作流集成。

项目目标不是再做一个通用技能市场,而是补上 技能发现 -> 风险判断 -> 发布前审计 -> 版本变化追踪 这条链路中的信任层。

安装

发布版安装:

pip install kuiilabs-clawaudit

安装完成后仍然使用 clawaudit 这个命令。

本地开发安装:

python3 -m venv .venv
.venv/bin/python -m pip install -e '.[dev]'

快速开始

扫描一个本地 skill:

clawaudit scan ./my-skill

查看某条规则的详细说明:

clawaudit explain shell-exec

输出 JSON:

clawaudit scan ./my-skill --format json --no-persist

生成徽章:

clawaudit badge ./my-skill --format svg --output badge.svg

运行时观测:

clawaudit runtime-scan ./my-skill --format text

更完整的上手文档见 GETTING_STARTED.md

当前能力

静态扫描

  • 扫描本地目录、仓库 URL、带 #ref=<tag-or-branch> 的版本化 URL
  • 扫描 GitHub tree/<ref>/<subpath> 子目录链接
  • 批量扫描多个目标
  • 解析 SKILL.md 中的权限声明
  • 输出 textjsonmarkdownsarif
  • 支持 --fail-on--max-risk-score--enforce-policy
  • 支持 diffrelease-notesbadgediscover-targets

目录站与 API

  • FastAPI API
  • SQLite 报告存储
  • 技能列表页、详情页、手动扫描页
  • 历史 diff、badge、release notes 导出

运行时观测

  • runtime-scan
  • runtime_policyruntime_execution
  • 文件读写、环境变量、shell/subprocess、socket/HTTP 事件观测
  • local-subprocesslocal-isolated-copy runner
  • timeout 与策略阻断

本地开发

仓库内常用命令:

.venv/bin/clawaudit --version
.venv/bin/clawaudit scan ./tests/fixtures/safe_skill
.venv/bin/clawaudit explain shell-exec
.venv/bin/python -m unittest discover -s tests -v

运行 API 和 Web:

.venv/bin/clawaudit-api

或:

.venv/bin/python -m uvicorn services.api.app:app --reload

默认页面:

  • http://127.0.0.1:8000/
  • http://127.0.0.1:8000/scan

规则文档

规则说明现在拆分到了独立文件:

规则索引见 rules/README.md

示例仓库

仓库里已经补了一个本地样例集,可直接用于演示不同风险等级:

你可以直接扫描:

.venv/bin/clawaudit scan ./clawaudit-example-skill/safe-skill
.venv/bin/clawaudit scan ./clawaudit-example-skill/warning-skill
.venv/bin/clawaudit scan ./clawaudit-example-skill/high-risk-skill

文档索引

发布前检查

当前本地已经验证通过:

  • pip install -e .
  • clawaudit --version
  • clawaudit scan --help
  • clawaudit explain --help
  • python -m unittest discover -s tests -v
  • python -m build --no-isolation
  • python -m twine check dist/*

如果要继续做 TestPyPI / 正式 PyPI 发布,还需要可用的 TWINE_USERNAME / TWINE_PASSWORD 或 token。

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kuiilabs_clawaudit-0.1.0.tar.gz (53.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kuiilabs_clawaudit-0.1.0-py3-none-any.whl (49.2 kB view details)

Uploaded Python 3

File details

Details for the file kuiilabs_clawaudit-0.1.0.tar.gz.

File metadata

  • Download URL: kuiilabs_clawaudit-0.1.0.tar.gz
  • Upload date:
  • Size: 53.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for kuiilabs_clawaudit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 b94d4794db56912b7daca08ca60e4af947ff602fff20b208f6b8749a56b6d456
MD5 c041096dd97bb39b1f3f55eb3f847faf
BLAKE2b-256 d0391f1e18843f5169be20ea31dbd0bb69265651c164aefdbb0ac32ecb03ca14

See more details on using hashes here.

File details

Details for the file kuiilabs_clawaudit-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for kuiilabs_clawaudit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0d518445ab07db55ebd4c3a37f77666a7ae250bf5650e7df6f993116b7bd6cdd
MD5 6261a9dc4484159e8f07766fbe98fa05
BLAKE2b-256 288d7a57cce2ff289ce12e58b7637d82aa11d3e7e4e694038060e907c352d182

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page