← Back to Skills Marketplace
Skill-Scanner-Pro
by
GravityPoet
· GitHub ↗
· v0.1.4
421
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install skill-scanner-pro
Description
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data...
Usage Guidance
This package appears to be a straightforward local static scanner and UI for auditing Clawdbot/MCP skills. Before installing or running it: 1) Verify the source — confirm the GitHub repository and registry owner match and review the full repo for unexpected network calls or shell execution (the README points to a GitHub repo whose owner differs from the registry owner). 2) Run the scanner on copies of skill folders in an isolated environment (container or VM), not as root, particularly when scanning untrusted skills. 3) Expect false positives (patterns like '.env' or credential path mentions will be flagged) — review findings manually. 4) If you use the Streamlit UI, install streamlit in a controlled environment; the UI writes uploaded files to a temporary directory. 5) If you need higher assurance, review the full, untruncated source for any hidden network access or subprocess execution before trusting it with sensitive directories.
Capability Analysis
Type: OpenClaw Skill
Name: skill-scanner-pro
Version: 0.1.4
This skill is a security audit tool designed to scan other OpenClaw skills for malicious patterns, including data exfiltration, system modification, crypto-mining, and arbitrary code execution. The code (`skill_scanner.py`) implements a comprehensive set of regex patterns to detect these threats in target files. Crucially, it includes logic (`_is_definition_noise`) to prevent it from flagging its own pattern definitions as malicious, demonstrating clear benign intent. The `SKILL.md` and `README.md` provide accurate descriptions and usage instructions without any prompt injection attempts. The `streamlit_ui.py` frontend handles user input safely by writing it to temporary files before scanning, without executing user-provided code. All components align with the stated purpose of a security scanner and exhibit no malicious behavior themselves.
Capability Assessment
Purpose & Capability
Name/description match the delivered artifacts: a Python scanner (skill_scanner.py) and an optional Streamlit UI (streamlit_ui.py) that scan skill folders for threat patterns. No unrelated environment variables, binaries, or system-level credentials are requested. Minor provenance inconsistencies: registry metadata lists version 0.1.4 while _meta.json/README reference 0.1.3, and README suggests cloning a GitHub repo owned by 'bvinci1-design' while the registry owner is different—this is not a direct security issue but reduces confidence in source provenance.
Instruction Scope
SKILL.md and README instruct the agent/user to run the scanner against local skill folders or upload ZIPs/code in the Streamlit UI. The scanner's runtime behavior (reading files under the provided path, skipping ignored directories, and reporting matches) aligns with the stated purpose. It does read file contents from paths you point it at (including SKILL.md, code files, and uploaded archives) — expected for a scanner.
Install Mechanism
No install spec is provided (instruction-only installer) and the scanner claims to use only the Python standard library. The Streamlit UI is optional and requires installing the streamlit package if you want the web interface. There are no remote downloads or archive extraction steps performed by the skill itself; README suggests cloning the GitHub repo (standard practice) but that is an out-of-band action the user performs.
Credentials
The skill does not request any environment variables or credentials. The scanner intentionally scans targets for uses of credential paths and environment access (that is its purpose). Be aware it will read any files you point it at — do not point it at sensitive directories unless you intend it to scan them.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system privileges. The Streamlit UI and CLI use temporary directories for uploaded content; no code in the provided snippets indicates modification of other skills or system settings. Standard caution: run untrusted code (including tools) in isolated environments when possible.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-scanner-pro - After installation, invoke the skill by name or use
/skill-scanner-pro - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.4
Maintenance release: continue publication without fork metadata; no functional scanner changes.
v0.1.3
Pro enhanced edition: fixed Streamlit UI rendering/export; reduced false positives by fenced-code-only markdown scanning; suppressed self-noise; skip noisy dirs and oversized/binary files.
Metadata
Frequently Asked Questions
What is Skill-Scanner-Pro?
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data... It is an AI Agent Skill for Claude Code / OpenClaw, with 421 downloads so far.
How do I install Skill-Scanner-Pro?
Run "/install skill-scanner-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill-Scanner-Pro free?
Yes, Skill-Scanner-Pro is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Skill-Scanner-Pro support?
Skill-Scanner-Pro is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill-Scanner-Pro?
It is built and maintained by GravityPoet (@gravitypoet); the current version is v0.1.4.
More Skills