Regular Skills Security Self-Checks to Prevent Supply Chain Attacks
Regularly perform security self-checks on skills to prevent supply chain attacks.
Audit Dimension |
Check Item |
|---|---|
Installed skill audit |
Scans installed skills for malicious code and suspicious behavior. |
Review before installing new skills |
Performs source verification, permission assessment, and code scanning. |
Configuration file integrity |
Checks whether the SOUL.md and AGENTS.md files are tampered with. |
Abnormal behavior detection |
Monitors network connections, file access, and command execution. |
Security score tracking |
Track trends and changes in skill security scores. |
Procedure
- Before installing any third-party skills, you can use the security audit tools recommended by OpenClaw, such as skill-vetter, security-audit, and oc-security-hardener.
- After installing or updating any skills, run a deep security audit. The --deep flag enables a static security scan of the skill's source code.
openclaw security audit --deep
- If any issues are detected, you can use the --fix option to attempt automatic remediation.
openclaw security audit --fix
Parent topic: Manual Configuration Items