← Back to Skills Marketplace
bvinci1-design

Skill Scanner

by bvinci1-design · GitHub ↗ · v0.1.2
cross-platform ⚠ suspicious
18465
Downloads
24
Stars
155
Active Installs
3
Versions
Install in OpenClaw
/install skill-scanner
Description
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.
Usage Guidance
This package appears to implement a local static scanner and a Streamlit UI that scans only the files you provide. Before installing or running it, do the following: 1) Verify the source/author — the registry metadata shows no homepage and the origin is unknown; prefer code from a trusted repo. 2) Inspect the full skill_scanner.py and streamlit_ui.py (the provided copy was truncated in places) to confirm there is no hidden behavior (network calls, code execution, auto-update). 3) Do not point the scanner at real secret stores or upload sensitive files to the web UI — it only looks for strings/patterns in files, but uploading sensitive data to a web UI increases exposure. 4) Run it in a sandbox or VM first and test on harmless sample skills to validate false-positive/negative behavior. 5) Note minor implementation issues (the UI references a format_markdown method and truncated code made it impossible to confirm all functions) — fix or review those before relying on automated CI gating. If you want higher assurance, ask the publisher for a canonical repo URL, full source, and a reproducible build or have a security-savvy reviewer audit the complete code.
Capability Analysis
Type: OpenClaw Skill Name: skill-scanner Version: 0.1.2 The OpenClaw AgentSkills skill bundle 'skill-scanner' is classified as benign. Its explicit purpose, as stated in SKILL.md and README.md, is to act as a security audit tool for other skills, detecting malicious patterns like data exfiltration, system modification, and arbitrary code execution. The core logic in `skill_scanner.py` implements this by scanning files against a comprehensive list of `THREAT_PATTERNS`. These patterns are indeed indicators of malicious behavior, but the scanner's code is designed to *detect* them, not *perform* them. There is no evidence of the skill itself engaging in any harmful activities, prompt injection against the agent (beyond its legitimate function), or obfuscation of its own intent.
Capability Assessment
Purpose & Capability
Name/description match the code: this is a local static scanner that searches files for malicious patterns and offers a Streamlit UI. It does not request credentials or binaries unrelated to its purpose. However the skill's origin is unknown (no homepage) and README suggests cloning from a GitHub repo; validate the upstream source before installing.
Instruction Scope
Runtime instructions and code limit activity to reading the target skill folder (or uploaded files) and producing a report; the scanner performs regex-based pattern matching and the Streamlit UI writes uploaded files to a temporary directory for scanning. It does not appear to execute scanned code or access system credential files directly. Still, the SKILL.md/README emphasize scanning for access to credential paths (they detect strings like '~/.ssh' in code) — ensure you do not point the scanner at real secret stores, and avoid uploading sensitive files to the web UI.
Install Mechanism
No install spec provided (instruction-only skill with included Python files). That is low-risk from an install perspective — nothing is downloaded or extracted by an automated installer. The Streamlit UI is optional and requires you to pip-install streamlit yourself.
Credentials
The skill requests no environment variables or credentials. The scanner flags patterns that would indicate credential/file access in scanned code, but the scanner itself does not request or require secrets.
Persistence & Privilege
always=false and the skill does not request persistent system changes. The code writes uploaded content to a temporary directory only and does not modify other skills or system configuration according to the reviewed files.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-scanner
  3. After installation, invoke the skill by name or use /skill-scanner
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
- Updated SKILL.md to use standardized frontmatter metadata format. - Clarified and expanded description for improved readability. - Removed redundant metadata from the main text section.
v0.1.1
- Added a descriptive tagline summarizing the skill’s purpose at the top of SKILL.md. - Updated tags section: switched to hashtag format and added new tags like #agent-skills, #safety, #threat-detection, and #vulnerability. - No code or functional changes; documentation update only.
v0.1.0
Initial release of skill-scanner: a security audit tool for Clawdbot/MCP skills. - Scans skill folders for malware, spyware, crypto-mining, and malicious patterns - Detects data exfiltration, system modification, code execution risks, backdoors, and obfuscation - Generates security reports in Markdown or JSON formats - Offers both command line and Streamlit Web UI interfaces - Requires only Python 3.7+ and optional Streamlit for Web UI
Metadata
Slug skill-scanner
Version 0.1.2
License
All-time Installs 161
Active Installs 155
Total Versions 3
Frequently Asked Questions

What is Skill Scanner?

Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques. It is an AI Agent Skill for Claude Code / OpenClaw, with 18465 downloads so far.

How do I install Skill Scanner?

Run "/install skill-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Scanner free?

Yes, Skill Scanner is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Scanner support?

Skill Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Scanner?

It is built and maintained by bvinci1-design (@bvinci1-design); the current version is v0.1.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments