← Back to Skills Marketplace
SafeHub
by
sumeetghimire
· GitHub ↗
· v1.0.2
380
Downloads
0
Stars
3
Active Installs
2
Versions
Install in OpenClaw
/install safehub
Description
Scan OpenClaw skills for malware and security issues before installation. Use when the user wants to verify a skill is safe, audit a ClawHub skill, or check...
Usage Guidance
SafeHub's implementation is coherent with its stated purpose, but pay attention to these practical risks before installing or running it: (1) The 'update' command will fetch and overwrite the scanner's rule files from whatever GitHub repo you point it at — only use a rules repo you trust, and avoid running update against unknown forks. (2) The Docker sandbox runs the target read-only with no network, but the code does not actually instrument or report detailed runtime behavior (networkAttempted and sensitiveReads are not detected), so do not rely solely on the sandbox to prove safety. (3) Cached reports are stored in ~/.safehub and a Docker named volume may be created; review/delete these if they contain sensitive metadata. (4) Because the tool executes git clone on GitHub URLs and starts containers via the Docker daemon, run SafeHub in an isolated environment (or inspect the code locally) if you are scanning untrusted repos. If you plan to rely on SafeHub's results, review scanner/static.js and scanner/scorer.js to understand exactly what patterns are detected and how the trust score is computed.
Capability Analysis
Type: OpenClaw Skill
Name: safehub
Version: 1.0.2
SafeHub is a security scanner that contains a critical shell injection vulnerability in lib/resolve.js, where a GitHub URL is passed directly into execSync for a git clone operation without sufficient sanitization. Additionally, the update command in commands/update.js allows the tool to fetch and overwrite local rule files from an arbitrary GitHub repository (controlled by the SAFEHUB_RULES_REPO environment variable), which could be leveraged to manipulate scan results or potentially exploit the host. While the tool implements a restrictive Docker sandbox for dynamic analysis, these architectural flaws and the remote-update mechanism pose a significant security risk.
Capability Assessment
Purpose & Capability
Name/description match the implementation: it runs Semgrep-based static analysis and an optional Docker sandbox. Required binaries (node, semgrep, git) are proportional to the declared purpose. Dependencies (commander, dockerode) are reasonable for a CLI that can control Docker.
Instruction Scope
SKILL.md and code keep scope mostly limited to scanning. However: (1) the sandbox implementation simply runs the target in a container but does not instrument or capture network attempts/sensitive reads (sandboxResult fields are always empty unless an error occurs), so the claimed behavioral observation is misleading; (2) the updater will fetch and overwrite local rule files from any GitHub repo specified via SAFEHUB_RULES_REPO — this gives an external source control over the scanner's detection logic and must be treated as a privileged operation; (3) cached reports are written to ~/.safehub (may contain metadata about findings). All env vars that code reads are documented in SKILL.md.
Install Mechanism
No install spec is declared (installation is expected via ClawHub or npm), so nothing arbitrary is downloaded during install. The only runtime network downloads are GitHub API/raw requests in the update command which use well-known GitHub endpoints. No URL shorteners or personal servers are used. The code bundle contains source files, so auditable locally.
Credentials
No secret credentials are requested. Optional environment variables are reasonable (rules repo, branch, data dir, sandbox image, timeout). The main concern: SAFEHUB_RULES_REPO lets a user point the updater at any repo; if an attacker (or the user unknowingly) points this at a malicious fork, SafeHub will overwrite its local rule set with those files — potentially suppressing warnings or producing false-safe results. SAFEHUB_DATA_DIR defaults to ~/.safehub and stores cached reports; that persistent storage should be considered when scanning sensitive code.
Persistence & Privilege
always is false and the skill does not request platform-wide privileges. It creates/uses a persistent cache directory (~/.safehub) and may create a Docker named volume 'safehub_tmp', which can persist between runs. It does not modify other skills' configs. The ability to overwrite ./rules in the skill directory via update is a form of self-modification (documented) and is privileged for the scanner's behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install safehub - After installation, invoke the skill by name or use
/safehub - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Docs: registry requirements, env vars, install/usage
v1.0.1
Security scanner for OpenClaw skills
Metadata
Frequently Asked Questions
What is SafeHub?
Scan OpenClaw skills for malware and security issues before installation. Use when the user wants to verify a skill is safe, audit a ClawHub skill, or check... It is an AI Agent Skill for Claude Code / OpenClaw, with 380 downloads so far.
How do I install SafeHub?
Run "/install safehub" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SafeHub free?
Yes, SafeHub is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SafeHub support?
SafeHub is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created SafeHub?
It is built and maintained by sumeetghimire (@sumeetghimire); the current version is v1.0.2.
More Skills