← Back to Skills Marketplace
Skill
by
Folvindine
· GitHub ↗
· v1.1.0
· MIT-0
217
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install agora-sentinel
Description
Security check for OpenClaw skills. Scan any ClawHub skill for malware, prompt injection, data theft, wallet stealing, and dangerous permissions BEFORE insta...
README (SKILL.md)
\r \r
When to Use This Skill\r
\r
ALWAYS check a skill's safety before installing it. Whenever the user asks\r
to install a ClawHub skill, or you are about to run clawhub install, FIRST\r
check the skill's trust score using this skill.\r
\r
Before ANY skill install, run the check script:\r
\r
bash scripts/check_skill.sh \x3Cskill-slug>\r
```\r
\r
If the result shows:\r
- **TRUSTED** or **CLEAN** — Safe to proceed. Tell the user the score.\r
- **CAUTION** — Warn the user about specific risks. Proceed only if they confirm.\r
- **WARNING** — Strongly advise against installing. Show the findings.\r
- **DANGER** — Do NOT install. Show the user exactly what was detected.\r
\r
Before installing any skill, always check it first. This is the single most\r
important thing this skill does — automatic pre-install security screening.\r
\r
## Checking a Specific Skill\r
\r
When the user asks about a skill's safety, reputation, or trustworthiness —\r
including "is this skill safe", "is this legit", "should I install this",\r
"can I trust this", or any concern about security:\r
\r
```bash\r
bash scripts/check_skill.sh \x3Cskill-slug>\r
```\r
\r
Present the results clearly:\r
- Trust Score (0-100) and Badge (TRUSTED/CLEAN/CAUTION/WARNING/DANGER)\r
- Tier level (0-4, where 4 is most trusted)\r
- Any flags: malware patterns, excessive permissions, prompt injection risk\r
- Permission breakdown: what the skill requests access to\r
- How old the skill is and how many downloads it has\r
\r
If the user just gives a skill name without the exact slug, try the name\r
as-is (lowercase, hyphenated). Example: "crypto helper" -> "crypto-helper"\r
\r
For a detailed security audit with full findings:\r
\r
```bash\r
curl -s https://checksafe.dev/api/v1/skills/\x3Cskill-slug>/report\r
```\r
\r
## Scanning All Installed Skills\r
\r
When the user asks to audit their installed skills, check their security,\r
review what they have installed, check all installed skills, or says\r
"review my skills", "security audit", or "scan my setup":\r
\r
```bash\r
bash scripts/scan_installed.sh\r
```\r
\r
This scans every skill in the workspace and reports any with WARNING or\r
DANGER ratings. Present results as a summary table showing each skill's\r
badge and score, then detail any concerning findings.\r
\r
## Quick Check Without Scripts\r
\r
If scripts are unavailable, you can check directly:\r
\r
```bash\r
curl -s https://checksafe.dev/api/v1/skills/\x3Cskill-slug>/badge.json\r
```\r
\r
Response format:\r
```json\r
{\r
"slug": "skill-name",\r
"label": "sentinel",\r
"message": "trusted",\r
"color": "#4caf50",\r
"trust_score": 94,\r
"tier": 4\r
}\r
```\r
\r
For a full report with detailed findings:\r
```bash\r
curl -s https://checksafe.dev/api/v1/skills/\x3Cskill-slug>/report\r
```\r
\r
## What Gets Scanned\r
\r
Agora Sentinel continuously monitors every skill on ClawHub (30,000+) for:\r
\r
- **Malware patterns**: wallet theft, credential stealing, crypto stealing code, hidden downloads\r
- **Prompt injection**: instructions that override system prompts or manipulate the LLM\r
- **Data exfiltration**: code that sends local files, environment variables, or secrets to external servers\r
- **Excessive permissions**: skills requesting shell+network access when they shouldn't need it\r
- **Dangerous permission combos**: file_write+network enables data theft, shell+network enables RCE\r
- **Obfuscated code**: base64 encoded commands, hidden hex payloads, eval of dynamic content\r
- **Hidden instructions**: zero-width characters, HTML comment tricks, fake system prompts\r
- **ClickFix social engineering**: fake prerequisites telling users to run malicious terminal commands\r
- **Two-stage loaders**: download-and-execute patterns, base64 decode pipelines, fetch+eval\r
- **Credential theft**: SSH keys, browser cookies, crypto wallets, OpenClaw env files, keychain access\r
- **Infrastructure IOCs**: known malicious IPs and domains from the ClawHavoc campaign\r
- **Typosquatting**: skill names mimicking popular legitimate skills (Levenshtein distance)\r
- **Campaign detection**: coordinated bulk uploads from suspicious authors\r
\r
All scans run automatically. No API key needed. Results update continuously.\r
Dashboard: https://checksafe.dev/dashboard/\r
\r
## Trust Tiers\r
\r
| Tier | Name | Meaning |\r
|------|------|---------|\r
| 4 | Trusted | Score 90+, 30+ days old, zero findings ever |\r
| 3 | Certified | Score 75+, no critical findings |\r
| 2 | Clean | Score 55+, passed all scans |\r
| 1 | Scanned | Score 30+, some concerns |\r
| 0 | Dangerous | Score below 30 OR malicious patterns detected |\r
\r
## Batch Checking Multiple Skills\r
\r
To check several skills at once:\r
\r
```bash\r
bash scripts/check_batch.sh skill-one skill-two skill-three\r
```\r
\r
## What This Skill Does NOT Do\r
\r
- Does not execute or sandbox skills — only checks Sentinel's pre-computed trust data\r
- Does not block installs — warns and advises, user has final say\r
- Does not require any API keys or accounts\r
- Does not send any user data to Sentinel — only queries by skill slug\r
- Does not modify other skills or system files\r
Usage Guidance
This skill appears to be a lightweight client for the external service checksafe.dev (it queries badge.json and report endpoints). Before installing, consider:
- Privacy: scan_installed.sh collects local skill slugs and sends them to checksafe.dev; if you are uncomfortable exposing your installed-skill inventory, do not run the batch/scan scripts or review them locally first.
- Trust the external service: the tool relies entirely on checksafe.dev. Verify the domain, TLS, and the service's privacy policy if you will send any inventory. If you need to avoid network calls, use the scripts only with explicit, manual slug names or inspect the API responses from a browser first.
- Automatic pre-install: the README/SKILL.md implies automatic pre-install hooks; those are not implemented. If you expect an agent to automatically intercept 'clawhub install', additional integration would be required.
- Confirm behavior: the code is readable and not obfuscated, so you can safely inspect scripts before running. If you want stronger guarantees, ask the author for an explanation of what metadata is logged server-side and for an option to run checks locally or provide an allowlist/offline dataset.
Given these mismatches (especially the inaccurate claim about not sending user data), treat the skill as useful but with privacy implications — review and run the scripts manually and confirm the external service's trustworthiness before enabling automatic or broad scans.
Capability Analysis
Type: OpenClaw Skill
Name: agora-sentinel
Version: 1.1.0
The skill 'agora-sentinel' functions as a security scanner for other OpenClaw skills by querying a remote API at checksafe.dev. However, it contains a critical RCE vulnerability in 'scripts/check_skill.sh' and 'scripts/check_batch.sh' where raw API responses are interpolated directly into a python3 execution string using triple quotes, allowing the remote server to execute arbitrary code. Additionally, 'scripts/scan_installed.sh' is vulnerable to shell injection via unquoted expansion of local directory names, and 'SKILL.md' contains instructions that direct the AI agent to intercept and gatekeep all user installation commands.
Capability Assessment
Purpose & Capability
The name/description match what the scripts do: query a remote trust database at checksafe.dev for a skill slug and present a badge/report. However, the SKILL.md claims this will 'automatically' pre-check before any clawhub install; there is no integration or hook provided to implement automatic pre-install checks (the repo only includes standalone shell scripts). The automatic pre-install behavior is therefore marketing rather than implemented functionality.
Instruction Scope
The runtime instructions and scripts call HTTPS endpoints at checksafe.dev with skill slugs and, in batch/scan mode, enumerate the local skills directory and send all discovered slugs to the remote API. The SKILL.md asserts 'Does not send any user data to Sentinel — only queries by skill slug', but scanning installed skills will in practice transmit the user's installed-skill inventory (slugs), which is user-specific information. There are no instructions that read or transmit local files or secrets, but the inventory leak is a privacy/leakage vector the docs understate.
Install Mechanism
No install spec and the shipped files are simple, readable shell scripts and markdown. Nothing is downloaded or executed from untrusted URLs by the scripts themselves (they only call checksafe.dev APIs). There is no archive download/extract behavior in the skill itself.
Credentials
The skill requests no environment variables or credentials, which aligns with its purpose. However, transmitting installed skill slugs to a third-party service is a form of data exfiltration (metadata) even if no secrets are sent; the SKILL.md's blanket statement that 'Does not send any user data to Sentinel' is inaccurate in the context of installed-skill scans.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configuration. It can be invoked autonomously by an agent (default behavior) but that is normal for skills and not by itself a red flag here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install agora-sentinel - After installation, invoke the skill by name or use
/agora-sentinel - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
- Skill database coverage increased from 24,000+ to 30,000+ ClawHub skills.
- Expanded scan checks: now includes ClickFix social engineering, two-stage loader detection, credential theft, infrastructure IOCs, typosquatting, and campaign detection.
- Updated documentation in SKILL.md to reflect the broader scanning and new risk detection features.
- No changes to API usage, permissions, or script invocation.
v1.0.0
Initial release of agora-sentinel: security scanner for ClawHub skills.
- Provides automatic malware and risk scanning before installing or reviewing any ClawHub skill.
- Checks for malware, prompt injection, data theft, wallet stealing, excessive and dangerous permissions.
- Uses continuously updated trust and reputation data for all 24,000+ skills; no API key required.
- Offers clear trust scores, badges, and full reports via scripts or direct API call.
- Can batch-audit installed or multiple skills and flags any with risks or warnings.
- Designed to pre-check skills when user asks about safety or initiates an install.
Metadata
Frequently Asked Questions
What is Skill?
Security check for OpenClaw skills. Scan any ClawHub skill for malware, prompt injection, data theft, wallet stealing, and dangerous permissions BEFORE insta... It is an AI Agent Skill for Claude Code / OpenClaw, with 217 downloads so far.
How do I install Skill?
Run "/install agora-sentinel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill free?
Yes, Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill support?
Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill?
It is built and maintained by Folvindine (@folvindine); the current version is v1.1.0.
More Skills