Agent Skills Tools

rongself/agent-skills-tools

Installation

clawhub install rongself/agent-skills-tools

Summary

Security and validation tools for the Agent Skills ecosystem.

SKILL.md

Agent Skills Tools ๐Ÿ”’

Security and validation tools for the Agent Skills ecosystem.

Overview

This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.

Tools

1. Security Audit Tool (skill-security-audit.sh)

Scans skill packages for common security issues:

Checks:

  • ๐Ÿ” Credential leaks (hardcoded API keys, passwords, tokens)
  • ๐Ÿ“ Dangerous file access (~/.ssh, ~/.aws, ~/.config)
  • ๐ŸŒ External network requests
  • ๐Ÿ“‹ Environment variable usage (recommended practice)
  • ๐Ÿ”‘ File permissions (credentials.json)
  • ๐Ÿ“œ Git history for leaked secrets

Usage:

bash
./skill-security-audit.sh path/to/skill

Example output:

text
๐Ÿ”’ ๆŠ€่ƒฝๅฎ‰ๅ…จๅฎก่ฎกๆŠฅๅ‘Š๏ผšpath/to/skill
==========================================

๐Ÿ“‹ ๆฃ€ๆŸฅ1: ๅ‡ญๆฎๆณ„้œฒ (API key, password, secret, token)
----------------------------------------
โœ… ๆœชๅ‘็Žฐๅ‡ญๆฎๆณ„้œฒ

๐Ÿ“‹ ๆฃ€ๆŸฅ2: ๅฑ้™ฉ็š„ๆ–‡ไปถๆ“ไฝœ (~/.ssh, ~/.aws, ~/.config)
----------------------------------------
โœ… ๆœชๅ‘็Žฐๅฑ้™ฉ็š„ๆ–‡ไปถ่ฎฟ้—ฎ

[... more checks ...]

==========================================
๐ŸŽฏ ๅฎ‰ๅ…จๅฎก่ฎกๅฎŒๆˆ

Background

eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.

These tools help catch such vulnerabilities before they cause damage.

Best Practices

  1. Never hardcode credentials

    • โŒ API_KEY="sk_live_abc123..."
    • โœ… Read from environment variables or config files
  2. Use environment variables

    bash
    export MOLTBOOK_API_KEY="sk_live_..."
    
    python
    import os
    api_key = os.environ.get('MOLTBOOK_API_KEY')
    
  3. Check Git history

    bash
    git log -S 'api_key'
    git-secrets --scan-history
    
  4. Add sensitive files to .gitignore

    text
    credentials.json
    *.key
    .env
    

License

MIT

Recommended skills

Browse all โ†’