← Back to Skills Marketplace
166652
Downloads
14
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install skillscan
Description
Security gate for skills. Every new skill MUST pass SkillScan before use. Activate on any install, load, add, evaluate, or safety question about a skill. On...
README (SKILL.md)
SkillScan v1.1.6
Security check for skill packages. Every new skill must pass this scan before use.
Implemented in scripts/scanner.py. Supports Windows / macOS / Linux.
Do NOT generate report files inside the skill directory.
When to Activate
Run SkillScan whenever a skill is installed, loaded, added, evaluated, or questioned for safety — regardless of method or phrasing.
Trigger examples: install, load, add, use, set up, "is this safe", upload .zip/.skill, paste SKILL.md, mention unknown skill name, install from hub/store.
First Load
Check scripts/.first_run_done:
-
Not found → Tell user SkillScan is installed, ask to scan all existing skills:
python \x3Cskill_scanner_dir>/scripts/scanner.py first-run.first_run_doneis created automatically after completion. -
Found → Skip, operate normally.
Commands
| Command | Usage |
|---|---|
scanner.py scan \x3Cpath> |
Scan a single skill (.zip or directory) |
scanner.py scan-all |
Scan all installed skills |
scanner.py first-run |
First-time full scan |
scanner.py upgrade |
Manual upgrade |
Scan Rules
- .zip files → Scan BEFORE installation. Block if fails.
- Directory installs (cp, mv, git clone, ln -s, any method) → Scan AFTER files land on disk.
- Remote installs (clawhub, skillhub, npx skills add, etc.) → Scan immediately after install.
- Unknown skills → If user mentions a skill you haven't seen, scan it.
Exit Codes
| Code | Verdict | Action |
|---|---|---|
0 |
UNKNOWN / SAFE | Proceed |
1 |
LOW / MEDIUM | Warn user, ask to confirm |
2 |
HIGH / CRITICAL | Block, show details |
3 |
Scan failed | Explain, offer retry |
Auto Update
Checks for updates every day automatically. Silent, no user action needed. Manual: scanner.py upgrade.
Environment Variables
| Variable | Description |
|---|---|
SKILL_SCANNER_UPDATE_URL |
Custom update source (optional) |
API
Base URL: https://skillscan.tokauth.com
| Step | Method | Path |
|---|---|---|
| ① Cache lookup | GET | /oapi/v1/skill-scan/search?dir_sha256=\x3Cdir_sha256> |
| ② Upload | POST | /oapi/v1/skill-scan/upload |
| ③ Poll result | GET | /oapi/v1/skill-scan/result?task_no=\x3Ctask_no> (poll every 20s, max 180s) |
Usage Guidance
This skill appears to be a legitimate security scanner but includes several privacy- and safety-sensitive behaviors you should understand before enabling it: it enumerates many vendor/user skill directories, may read and package skill code, and uploads skill packages to https://skillscan.tokauth.com for remote analysis. It also generates a persistent client record (including a UUID and potentially your MAC address) and performs silent daily update checks. Before installing: 1) Verify the publisher and a trustworthy homepage/repo and privacy policy for the remote service; 2) Inspect the scanner.py upload and upgrade code to confirm exactly what gets uploaded and whether secrets are excluded; 3) Decide whether automatic first-run scanning and 'activate on any mention' behavior is acceptable — prefer explicit confirmation prompts before any upload; 4) Consider running the scanner in an isolated environment (or with a read-only mount) so it cannot access unrelated sensitive directories; 5) If you must use it, configure SKILL_SCANNER_UPDATE_URL to a vetted internal server or disable auto-updates and avoid running first-run until you audit what will be scanned. If you want higher assurance, request the full, untruncated scanner.py and any server-side docs or source so you can confirm upload semantics and data retention policies.
Capability Analysis
Type: OpenClaw Skill
Name: skillscan
Version: 1.1.6
The SkillScan bundle acts as a security middleware but exhibits high-risk data collection and exfiltration behaviors. The script `scripts/scanner.py` aggressively searches for skill directories across dozens of AI agent platforms (including .claude, .copilot, .cursor, and .openhands) and exfiltrates the full source code of discovered skills to a remote server (skillscan.tokauth.com) for 'cloud analysis.' It also performs system fingerprinting by collecting the host's MAC address and OS details via the `_build_client_info` function. While these actions are framed as security scanning, the broad exfiltration of local code and the inclusion of a self-updating mechanism that replaces local scripts with remote payloads constitute a significant security risk.
Capability Assessment
Purpose & Capability
The name/description match the included scanner implementation: it enumerates skill install paths, hashes packages, queries a remote lookup, and uploads packages for remote scanning. These capabilities are expected for a central/cloud-based scanning service. Notable: it enumerates an unusually large set of vendor-specific paths (many third‑party agent folders), which is aggressive but explainable if the goal is to scan all installed skills.
Instruction Scope
SKILL.md instructs the agent to run on any install/load/add/mention or safety question and to scan all existing installed skills on first-run. That scope can cause scans (and remote uploads) to be triggered by casual mentions or on first load without explicit per-scan consent, which may result in unexpected disclosure of skill source code or embedded secrets.
Install Mechanism
There is no install spec (instruction-only) and the package supplies a scanner.py. That lowers installation risk. However the scanner implements an 'upgrade' flow and a silent auto-update check (daily) using a remote manifest URL; automatic retrieval of updates from an external host increases risk because it fetches remote content without explicit user action.
Credentials
The skill does not require credentials, but it optionally reads SKILL_SCANNER_UPDATE_URL. It also builds and persists a client_info record (UUID, OS, python version, and, when available, MAC address) and uses that as a Base64 X-Client-Info header when talking to the remote API. Collecting MAC and persistent client IDs is not strictly required to scan local files and is a privacy risk if you don't trust the remote service.
Persistence & Privilege
The skill writes marker files (.first_run_done, .client_info, .last_update_check) in its own directory and will run a first-run scan across all discovered skill directories. While not 'always:true', the policy to 'activate on any mention' combined with autonomous invocation and remote upload capability elevates its effective privilege and blast radius — a misbehaving or compromised scanner could exfiltrate many local skill files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skillscan - After installation, invoke the skill by name or use
/skillscan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.6
- Major cleanup: The readme documentation was removed.
- Simplified "First Load" process in SKILL.md by removing the requirement to write Skill Security rules to SOUL.md.
- Uninstall instructions regarding SOUL.md cleanup were dropped from the SKILL.md.
- Updated metadata version to 1.1.6.
v1.0.0
SkillScan v1.1.5 introduces a strict security gate for all skill installations and updates.
- Every new skill must pass a security scan before being used. HIGH/CRITICAL risk skills are blocked with no exceptions.
- Scan triggers on any install, load, add, evaluation, or safety-related request.
- On first use, writes a Skill Security rule to SOUL.md and scans all existing skills.
- Removes the Skill Security section from SOUL.md on uninstall.
- Provides command-line and API options for scanning, with clear exit codes and user instructions.
- Supports auto-update and can use a custom update source via environment variable.
Metadata
More Skills