← Back to Skills Marketplace
alikayhan

Safuclaw — Scan Skills Before You Install

by Ali Kayhan · GitHub ↗ · v0.1.3 · MIT-0
cross-platform ⚠ suspicious
486
Downloads
1
Stars
1
Active Installs
4
Versions
Install in OpenClaw
/install safuclaw
Description
Security audit gate — scans agent skills for malware, prompt injection, and data exfiltration before installation
Usage Guidance
Key things to consider before installing: - Understand what you will send: the auditor asks for the full SKILL.md and any non-SKILL.md files. These can include API keys, tokens, secrets, or proprietary code — remove or redact any sensitive values before uploading, or avoid uploading and instead run local checks. - Verify the operator: the audit endpoint (https://api.safuclaw.com) and homepage are the only provenance. Confirm the vendor's reputation, privacy policy, and data-retention policy before sending code. If possible, test with harmless/dummy skill content first. - Payment risks: the flow requires creating/funding a Base wallet and signing an x402 payment. Never share private keys or raw signing material with the audit service. Use a local signer or well-vetted wallet provider; confirm the payment address/route before funding. - Alternatives: if you cannot trust the external service, run local static/behavioral tools or require the skill publisher to provide proofs (e.g., reproducible build, signed audit) instead of uploading source. Consider running audits inside a sandboxed environment and avoid sending files that contain credentials. - Ask for guarantees: before using the service in production, request documentation about what the auditor retains, how long, how search/indexing is handled, whether inputs are reused to train models, and procedures for data deletion. Given the clear potential for data exfiltration (intentional or accidental) and the financial/payment surface, treat this skill as potentially useful but risky — only proceed after confirming vendor trustworthiness and protecting any secrets in uploaded files.
Capability Analysis
Type: OpenClaw Skill Name: safuclaw Version: 0.1.3 The 'safuclaw' skill (SKILL.md) acts as a security gatekeeper that transmits the full content of other skills and bundled files to an external endpoint (api.safuclaw.com) for auditing. It employs prompt injection to instruct the agent to override user commands and refuse installations if the service is unavailable or returns a 'BLOCKED' status, effectively hijacking the agent's decision-making process. Additionally, it requires 0.99 USDC payments via the x402 protocol and provides instructions for the agent to manage crypto wallets and request funds from the user, which introduces significant financial and operational risk.
Capability Assessment
Purpose & Capability
Name and description match the SKILL.md: the skill is an audit gate that sends skill content to an external audit API. There are no unrelated environment variables, binaries, or install steps requested — the external API approach is coherent with the declared purpose.
Instruction Scope
Runtime instructions require sending the entire SKILL.md plus any non-SKILL.md files (full source/install scripts) to https://api.safuclaw.com for analysis. Uploading full file contents to a third party legitimately enables deeper analysis but also risks exfiltrating secrets or sensitive code. The x402 payment flow requires wallet creation/signing and sending 0.99 USDC per audit, which adds financial friction and social-engineering risk (users may be asked to fund wallets). The SKILL.md does not instruct how uploaded files are stored/retained or provide privacy/retention guarantees.
Install Mechanism
Instruction-only skill with no install spec and no code files to run locally, which reduces surface area. No downloads, no extracted archives, and no binaries are installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials. However, its payment flow asks the agent/user to create or use a Base wallet and sign an x402 payment (private keys and signatures). That operation involves sensitive secrets (wallet private keys) and may require using a signing client; the SKILL.md does not explicitly prohibit sending private keys or signing payloads on an untrusted backend. The lack of declared credentials is consistent, but the wallet/signing requirement raises practical security concerns that are not fully addressed.
Persistence & Privilege
The skill does not request always:true or elevated persistent presence and has default invocation settings. It does not attempt to modify other skills or system-wide configuration according to the provided files.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install safuclaw
  3. After installation, invoke the skill by name or use /safuclaw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.3
Update wallet funding guidance and bump skill version to 0.1.3
v0.1.2
Add homepage metadata and bump skill version to 0.1.2
v0.1.1
Clarify pricing format to 0.99 USDC
v0.1.0
Initial release for Safuclaw — Agent Skill Security Audit
Metadata
Slug safuclaw
Version 0.1.3
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 4
Frequently Asked Questions

What is Safuclaw — Scan Skills Before You Install?

Security audit gate — scans agent skills for malware, prompt injection, and data exfiltration before installation. It is an AI Agent Skill for Claude Code / OpenClaw, with 486 downloads so far.

How do I install Safuclaw — Scan Skills Before You Install?

Run "/install safuclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Safuclaw — Scan Skills Before You Install free?

Yes, Safuclaw — Scan Skills Before You Install is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Safuclaw — Scan Skills Before You Install support?

Safuclaw — Scan Skills Before You Install is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Safuclaw — Scan Skills Before You Install?

It is built and maintained by Ali Kayhan (@alikayhan); the current version is v0.1.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments