← Back to Skills Marketplace
Skill Security Scanner
by
utopiabenben
· GitHub ↗
· v0.1.0
· MIT-0
104
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-secure-checker
Description
Automatically scans Python skill code to detect security risks like malicious patterns, hardcoded secrets, dangerous functions, and integrates VirusTotal sca...
Usage Guidance
This package appears to implement what it advertises: a local Python static scanner with an optional VirusTotal step. Before installing or running it: 1) Inspect install.sh (it symlinks source/cli.py into ~/.local/bin — make sure that path is acceptable and that you know where the repo will live). 2) Review the implementation of _scan_with_virustotal (truncated in the provided files) if you plan to enable VirusTotal to confirm it only calls VirusTotal and handles the API key safely. 3) Run the tool against a test directory first (not production code) to see outputs and confirm it doesn’t contact unexpected endpoints. 4) Be aware the scanner will read all files under the supplied skill_path (it also scans some non-Python text files and config files), so point it only at directories you intend to scan. 5) Because the registry metadata omitted an install spec while the package contains an installer, prefer manual inspection and manual installation into a controlled location (or use a virtual environment) rather than blindly running the install script.
Capability Analysis
Type: OpenClaw Skill
Name: skill-secure-checker
Version: 0.1.0
The skill is a legitimate security scanning tool designed for static analysis of Python code and configuration files. It identifies dangerous functions (e.g., eval, exec, os.system), hardcoded secrets (API keys, tokens), and insecure communication patterns. The implementation in source/scanner.py uses the Python 'ast' module for safe structural analysis and standard regex for secret detection. The installation script (install.sh) and CLI entry point (source/cli.py) follow standard practices for local tools, and no evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description, CLI, scanner implementation, and tests all align: this is a Python static analyzer that optionally queries VirusTotal. The declared runtime requirements (no mandatory env vars) are consistent. Minor inconsistency: registry metadata says 'No install spec / instruction-only', but the package includes an install.sh and a skill.json with an install script — so the package is not purely instruction-only as the registry entry implies.
Instruction Scope
SKILL.md and CLI direct the tool to read files under the user-supplied skill_path, generate JSON/HTML, and optionally call VirusTotal when a key is provided. The scanner code shows AST-based checks, regex checks, config and text file scanning, and limits (text files limited to 10, VT scans limited to first 5 files). It does not attempt to read unrelated system configs or environment variables beyond the optional VT key and does not transmit data anywhere else in the visible code. Recommend reviewing the truncated _scan_with_virustotal implementation to confirm only VirusTotal is contacted and no other endpoints are used.
Install Mechanism
No formal install spec in registry, but the repo contains install.sh that creates a symlink in ${HOME}/.local/bin to source/cli.py and sets execute bits. This is simple but fragile: the symlink points into the repo directory (so moving/cleaning the repo can break the CLI). No external downloads or network installers are used. Review install.sh before running; it does not perform privileged actions.
Credentials
The only optional credential is a VirusTotal API key (virustotal_api_key / VT_API_KEY), which is appropriate for the optional VirusTotal integration. The skill does not request unrelated credentials or system secrets in its metadata. The scanner itself looks for hardcoded secrets in scanned code (sk-, ghp_, JWT patterns) which is expected behavior for this tool.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. The installer creates a user-level symlink in ~/.local/bin only. The tool writes HTML reports into the scanned skill_path when asked, which is expected; it does not modify other skills' configs or global agent settings in the visible code.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-secure-checker - After installation, invoke the skill by name or use
/skill-secure-checker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
skill-secure-checker v0.1.0
- Initial release supporting static code analysis for Python skills.
- Detects hardcoded secrets, dangerous functions, and risky code patterns.
- Integrates VirusTotal API for optional file reputation checks.
- Outputs machine-readable JSON and user-friendly HTML security reports.
- Risk scoring with configurable severity thresholds.
- Zero external Python dependencies; works standalone.
Metadata
Frequently Asked Questions
What is Skill Security Scanner?
Automatically scans Python skill code to detect security risks like malicious patterns, hardcoded secrets, dangerous functions, and integrates VirusTotal sca... It is an AI Agent Skill for Claude Code / OpenClaw, with 104 downloads so far.
How do I install Skill Security Scanner?
Run "/install skill-secure-checker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Security Scanner free?
Yes, Skill Security Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Security Scanner support?
Skill Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Security Scanner?
It is built and maintained by utopiabenben (@utopiabenben); the current version is v0.1.0.
More Skills