← Back to Skills Marketplace
suryast

Skill Security Scanner

by suryast · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
829
Downloads
1
Stars
4
Active Installs
2
Versions
Install in OpenClaw
/install skill-security
Description
Security audit tool for OpenClaw skills. Scans for credential harvesting, code injection, network exfiltration, obfuscation. ALWAYS run before installing any...
Usage Guidance
This looks like a coherent local security auditor. Before running it: (1) review the shipped scripts yourself (they will execute locally and read files you point them at); (2) be aware the scanner uses broad regexes and can produce false positives—manually inspect any HIGH/CRITICAL matches; (3) confirm blocklist.txt and allowlist.txt are stored where you expect (they are in the skill directory) before trusting automatic writes; (4) note the SKILL.md advertises paid 'premium' links — unrelated to the audit functionality; (5) if you plan to run this automatically in agents, treat it like any third-party tool: run it in a trusted environment and consider code review or running in a sandbox first.
Capability Analysis
Type: OpenClaw Skill Name: skill-security Version: 1.0.1 The OpenClaw AgentSkills skill bundle is designed as a security audit tool, and its core functionality in `audit.sh` appears benign and aligned with its stated purpose. However, the `preinstall-check.sh` script contains a regex injection vulnerability: when checking `blocklist.txt` and `allowlist.txt`, it uses the `SKILL_NAME` directly as a regex pattern in `grep`. A malicious skill could be named with regex metacharacters (e.g., `.` or `*`) to potentially bypass existing blocklist entries or trick the allowlist mechanism, leading to an unintended security bypass. This is a vulnerability in the security tool itself, not evidence of intentional malicious behavior by this skill.
Capability Assessment
Purpose & Capability
The SKILL.md and included shell scripts implement a static, pattern-based scanner for skills (network calls, credential file access, dynamic execution, base64, env access). The files present (audit.sh, audit-all.sh, preinstall-check.sh, allowlist/blocklist) are exactly what a simple local auditor would need; no unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
Instructions are focused on running local audits and integrating a pre-install check. The auditor scans arbitrary skill directories (as intended) and prints matching lines; it does not send data externally. Note: the regexes are broad and will produce false positives (and may match comments or benign code). Also review the scripts before running, since they will read files you point them at and print matching lines (which could include secrets).
Install Mechanism
No install spec is provided (instruction-only with shipped scripts). That is low-risk from an install-network perspective. The provided scripts will be executed locally by the user/agent; they write to local blocklist/allowlist files in the skill directory, which is reasonable for a scanner.
Credentials
The skill requests no environment variables or credentials. The scripts use common environment values (HOME, provided skill path) only. There are no declared or hidden credential requirements.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills' configs or system-wide agent settings. It does persist its own allowlist/blocklist files in its directory, which matches its purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-security
  3. After installation, invoke the skill by name or use /skill-security
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Add premium skills promo links
v1.0.0
Initial release — audit skills for credential harvesting, injection, exfiltration
Metadata
Slug skill-security
Version 1.0.1
License
All-time Installs 6
Active Installs 4
Total Versions 2
Frequently Asked Questions

What is Skill Security Scanner?

Security audit tool for OpenClaw skills. Scans for credential harvesting, code injection, network exfiltration, obfuscation. ALWAYS run before installing any... It is an AI Agent Skill for Claude Code / OpenClaw, with 829 downloads so far.

How do I install Skill Security Scanner?

Run "/install skill-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Security Scanner free?

Yes, Skill Security Scanner is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Security Scanner support?

Skill Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Security Scanner?

It is built and maintained by suryast (@suryast); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments