From d6e33993d2c9674ef298e02fc6072202473706c8 Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Tue, 31 Mar 2026 18:59:15 +0800 Subject: [PATCH 1/7] fix agent-audit scan crash agent-audit scan will crash with SKILL.md: ``` --- name: description: metadata: --- ``` --- packages/audit/agent_audit/scanners/skill_meta_scanner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/audit/agent_audit/scanners/skill_meta_scanner.py b/packages/audit/agent_audit/scanners/skill_meta_scanner.py index 2275065..1109687 100644 --- a/packages/audit/agent_audit/scanners/skill_meta_scanner.py +++ b/packages/audit/agent_audit/scanners/skill_meta_scanner.py @@ -168,7 +168,7 @@ def _parse_frontmatter(self, content: str) -> tuple: def _get_openclaw_meta(self, frontmatter: Dict[str, Any]) -> Dict[str, Any]: """Extract openclaw metadata from nested or flat structure.""" nested = ( - frontmatter.get("metadata", {}).get("openclaw", {}) + (frontmatter.get("metadata", {}) or {}).get("openclaw", {}) ) if nested: return nested From a9e176f0b787e6fda3793b65383bd1a5a91010f8 Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Thu, 9 Apr 2026 14:03:48 +0800 Subject: [PATCH 2/7] fix metadata format error crash --- .../audit/agent_audit/scanners/skill_meta_scanner.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/audit/agent_audit/scanners/skill_meta_scanner.py b/packages/audit/agent_audit/scanners/skill_meta_scanner.py index 1109687..02b4eb2 100644 --- a/packages/audit/agent_audit/scanners/skill_meta_scanner.py +++ b/packages/audit/agent_audit/scanners/skill_meta_scanner.py @@ -167,11 +167,13 @@ def _parse_frontmatter(self, content: str) -> tuple: def _get_openclaw_meta(self, frontmatter: Dict[str, Any]) -> Dict[str, Any]: """Extract openclaw metadata from nested or flat structure.""" - nested = ( - (frontmatter.get("metadata", {}) or {}).get("openclaw", {}) - ) - if nested: - return nested + if not isinstance(frontmatter): + return {} + nested = frontmatter + for key in ("metadata", "openclaw"): + nested = nested.get(key, None) + if not isinstance(nested, dict): + return frontmatter return frontmatter def _check_daemon_persistence( From bcd64561c1d55ba35338641ff9ec8e74f75e3796 Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Thu, 9 Apr 2026 14:09:48 +0800 Subject: [PATCH 3/7] Fix isinstance check for frontmatter in skill_meta_scanner --- packages/audit/agent_audit/scanners/skill_meta_scanner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/audit/agent_audit/scanners/skill_meta_scanner.py b/packages/audit/agent_audit/scanners/skill_meta_scanner.py index 02b4eb2..cfa6030 100644 --- a/packages/audit/agent_audit/scanners/skill_meta_scanner.py +++ b/packages/audit/agent_audit/scanners/skill_meta_scanner.py @@ -167,7 +167,7 @@ def _parse_frontmatter(self, content: str) -> tuple: def _get_openclaw_meta(self, frontmatter: Dict[str, Any]) -> Dict[str, Any]: """Extract openclaw metadata from nested or flat structure.""" - if not isinstance(frontmatter): + if not isinstance(frontmatter, dict): return {} nested = frontmatter for key in ("metadata", "openclaw"): From 46abc55b64b4e5d9acff31aa5b43a25807bed38e Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Thu, 9 Apr 2026 14:29:45 +0800 Subject: [PATCH 4/7] Return nested metadata instead of frontmatter --- packages/audit/agent_audit/scanners/skill_meta_scanner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/audit/agent_audit/scanners/skill_meta_scanner.py b/packages/audit/agent_audit/scanners/skill_meta_scanner.py index cfa6030..3a90747 100644 --- a/packages/audit/agent_audit/scanners/skill_meta_scanner.py +++ b/packages/audit/agent_audit/scanners/skill_meta_scanner.py @@ -174,7 +174,7 @@ def _get_openclaw_meta(self, frontmatter: Dict[str, Any]) -> Dict[str, Any]: nested = nested.get(key, None) if not isinstance(nested, dict): return frontmatter - return frontmatter + return nested def _check_daemon_persistence( self, From 058e033d166336d5e312a1e3882517e135446b65 Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Fri, 24 Apr 2026 17:01:19 +0800 Subject: [PATCH 5/7] Enhance skill metadata scanner tests Add tests for skill files with and without metadata. --- .../test_scanners/test_skill_meta_scanner.py | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/tests/test_scanners/test_skill_meta_scanner.py b/tests/test_scanners/test_skill_meta_scanner.py index ea2dd60..c3d7e03 100644 --- a/tests/test_scanners/test_skill_meta_scanner.py +++ b/tests/test_scanners/test_skill_meta_scanner.py @@ -419,3 +419,76 @@ def test_skill_file_direct(self, tmp_path): results = self.scanner.scan(skill) assert len(results) == 1 assert any(f.rule_id == "AGENT-064" for f in results[0].security_findings) + + def test_skill_file_no_metadata(self, tmp_path): + skill = tmp_path / "SKILL.md" + skill.write_text(textwrap.dedent("""\ + --- + name: + description: + metadata: + --- + """)) + results = self.scanner.scan(skill) + assert len(results) == 0 + + def test_skill_file_metadata_str(self, tmp_path): + """ + metadata parsed json string + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/neo-ava/sparker/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/pipi6688/passive-income-claw/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/waydelyle/swarmvault/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/alexander-panov/finam/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/wanng-ide/arxiv-gamedevbench-evaluating-agentic-capabili/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/bankofbotsandy/bankofbots/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/tmchow/image-sprout/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/cyberforexblockchain/nexus-data-transform/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/marcelo-rowship/rwagenthub2/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/qianjunye/us3-uploader-encrypted/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/yorch233/paper-highlight/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/aghareza/taskwarrior/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/adahubble/cf-workers-logs/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/lilisidu1210-ui/baijiahao-publish/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/lilei0311/macos-suite-readonly/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/tmoody1973/crate-music-research/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/zhouyi531/openclaw-role-builder/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/donigwapo/slack-member-fetch/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/jerrrr/anyshare-mcp/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/jinwangmok/disk-usage/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/madridblues/zetto-network/SKILL.md + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/bossandy123/yintai-tasks-runner/SKILL.md + """ + skill = tmp_path / "SKILL.md" + skill.write_text(textwrap.dedent("""\ +--- +name: image-sprout +description: > + Generate and iterate on images using Image Sprout projects. Creates consistent + outputs from reference images, style guides, and subject guides. Use when an + agent or user needs repeatable image generation with saved context. +user-invocable: true +metadata: '{"openclaw":{"requires":{"bins":["image-sprout"]},"homepage":"https://github.com/tmchow/image-sprout"}}' +--- + """)) + results = self.scanner.scan(skill) + assert len(results) == 0 + + def test_skill_file_metadata_str(self, tmp_path): + """ + error metadata format: list + https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/tjlzw/iaskaster/SKILL.md + """ + skill = tmp_path / "SKILL.md" + skill.write_text(textwrap.dedent("""\ +--- +name: iaskaster +description: xxx +metadata: + - trigger: "检查登录|登录状态|是否登录" + action: "node $IASKASTER/index.js --tool iaskaster_auto '{\"action\":\"check_login\"}'" + - trigger: "发送验证码|获取验证码" + action: "node $IASKASTER/index.js --tool iaskaster_auto '{\"action\":\"send_code\",\"contact\":\"\"}'" +--- + """)) + results = self.scanner.scan(skill) + assert len(results) == 0 From 53e8d23ff18bdf646d56e39b25aa3e2dc195d65d Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Fri, 24 Apr 2026 17:15:37 +0800 Subject: [PATCH 6/7] Update tests to expect one result from scanner --- tests/test_scanners/test_skill_meta_scanner.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/tests/test_scanners/test_skill_meta_scanner.py b/tests/test_scanners/test_skill_meta_scanner.py index c3d7e03..939bd87 100644 --- a/tests/test_scanners/test_skill_meta_scanner.py +++ b/tests/test_scanners/test_skill_meta_scanner.py @@ -430,7 +430,7 @@ def test_skill_file_no_metadata(self, tmp_path): --- """)) results = self.scanner.scan(skill) - assert len(results) == 0 + assert len(results) == 1 def test_skill_file_metadata_str(self, tmp_path): """ @@ -471,7 +471,7 @@ def test_skill_file_metadata_str(self, tmp_path): --- """)) results = self.scanner.scan(skill) - assert len(results) == 0 + assert len(results) == 1 def test_skill_file_metadata_str(self, tmp_path): """ @@ -484,11 +484,10 @@ def test_skill_file_metadata_str(self, tmp_path): name: iaskaster description: xxx metadata: - - trigger: "检查登录|登录状态|是否登录" - action: "node $IASKASTER/index.js --tool iaskaster_auto '{\"action\":\"check_login\"}'" - - trigger: "发送验证码|获取验证码" - action: "node $IASKASTER/index.js --tool iaskaster_auto '{\"action\":\"send_code\",\"contact\":\"\"}'" ---- - """)) + - trigger: "余额查询|账户余额|剩余额度" + action: "node $IASKASTER/index.js --tool iaskaster_balance '{}'" + - trigger: "充值|充值链接" + action: "node $IASKASTER/index.js --tool iaskaster_recharge '{}'" +---""")) results = self.scanner.scan(skill) - assert len(results) == 0 + assert len(results) == 1 From 3bb97e1345c752969bd260c083788660c4ab18e4 Mon Sep 17 00:00:00 2001 From: 007gzs <007gzs@gmail.com> Date: Fri, 24 Apr 2026 17:16:30 +0800 Subject: [PATCH 7/7] Rename test from 'metadata_str' to 'metadata_list' --- tests/test_scanners/test_skill_meta_scanner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_scanners/test_skill_meta_scanner.py b/tests/test_scanners/test_skill_meta_scanner.py index 939bd87..b3310ce 100644 --- a/tests/test_scanners/test_skill_meta_scanner.py +++ b/tests/test_scanners/test_skill_meta_scanner.py @@ -473,7 +473,7 @@ def test_skill_file_metadata_str(self, tmp_path): results = self.scanner.scan(skill) assert len(results) == 1 - def test_skill_file_metadata_str(self, tmp_path): + def test_skill_file_metadata_list(self, tmp_path): """ error metadata format: list https://github.com/openclaw/skills/blob/7f4194d3d605f01c213558e905c617b6f359d806/skills/tjlzw/iaskaster/SKILL.md