← Back to Skills Marketplace
Shoofly Plugin Scan
by
wow-leeroy-jenkins05
· GitHub ↗
· v0.1.0
· MIT-0
122
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install shoofly-plugin-scan
Description
Pre-install plugin security scanner for OpenClaw plugins
Usage Guidance
This appears to be a coherent instruction-only plugin scanner. Before installing or running it, ask the author (or check implementation) to confirm two things: (1) the scanner only analyzes files in the provided plugin directory and does not read host-sensitive files (e.g., ~/.ssh, ~/.aws, /etc/passwd) or other unrelated system paths; and (2) it does not exfiltrate plugin contents or make external network calls — the "Unusual network calls" check should be a pattern check, not an outbound fetch. Also verify the scanner's provenance (source code or homepage) before trusting results, and run it on untrusted plugins inside a sandbox or isolated environment until you confirm its behavior.
Capability Analysis
Type: OpenClaw Skill
Name: shoofly-plugin-scan
Version: 0.1.0
The bundle contains metadata and documentation for a security scanner utility named 'shoofly-plugin-scan'. The SKILL.md file describes standard security auditing functions such as checking for credentials, obfuscated code, and sensitive path access, with no evidence of malicious instructions or prompt injection attempts.
Capability Assessment
Purpose & Capability
Name/description match the instructions: the SKILL.md describes checks you would expect from a pre-install security scanner (credential patterns, obfuscated code, network URLs, sensitive path references, exec patterns). There are no unrelated required env vars, binaries, or install steps.
Instruction Scope
The instructions are high-level and scoped to scanning a plugin directory. However, the wording around "Sensitive path access — ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd" is ambiguous: it likely means "look for code that accesses these paths" rather than "read these paths on the host," but the doc does not explicitly forbid or clarify reading host system files or making network requests. Clarification is recommended.
Install Mechanism
No install spec and no code files — this is instruction-only, which minimizes risk because nothing is downloaded or written by default.
Credentials
No environment variables, credentials, or config paths are required in the registry metadata; that is proportionate for a static scanner.
Persistence & Privilege
Does not request always:true or any persistent/system-wide changes. Default autonomous invocation allowed (normal for skills) but there is no indication the skill would modify other skills or agent config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install shoofly-plugin-scan - After installation, invoke the skill by name or use
/shoofly-plugin-scan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release. Pre-install security scanner for OpenClaw plugins — scans for credentials, obfuscated code, suspicious network calls, and exec injection before you install. Hardened: exec false-positive fix, base64 entropy gate, automated test suite.
Metadata
Frequently Asked Questions
What is Shoofly Plugin Scan?
Pre-install plugin security scanner for OpenClaw plugins. It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.
How do I install Shoofly Plugin Scan?
Run "/install shoofly-plugin-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Shoofly Plugin Scan free?
Yes, Shoofly Plugin Scan is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Shoofly Plugin Scan support?
Shoofly Plugin Scan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Shoofly Plugin Scan?
It is built and maintained by wow-leeroy-jenkins05 (@wow-leeroy-jenkins05); the current version is v0.1.0.
More Skills