← Back to Skills Marketplace
cookiemikeliu

skill-security-scanner-clean

by RUI LIU · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
398
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install skill-security-scanner-clean
Description
Security scanner for OpenClaw skills. Use when installing, updating, or auditing skills to detect malicious backdoors, suspicious code patterns, data exfiltr...
Usage Guidance
This skill appears to do what it says: a local static scanner for OpenClaw skills. Before installing or relying on it, consider the following: 1) Source provenance: the package has no homepage and the owner is unknown — review the code yourself or prefer a scanner from a trusted, verifiable source. 2) False positives: some detection rules are broad (flags for common hosts, IPs, or large/minified files); treat 'WARNING'/'REVIEW' results as prompts for manual inspection rather than automatic rejection. 3) Artifacts: the install guard saves a .security_scan_report.json inside the scanned skill directory — ensure you are comfortable with that artifact being created. 4) Safe testing: run the scanner on known-good and known-bad samples in an isolated environment to validate its behavior and tune expectations (or strict mode). 5) If you plan to integrate this into automation, review the scoring/verdict thresholds in references/rules-reference.md and consider whitelisting legitimate patterns to reduce noise.
Capability Analysis
Type: OpenClaw Skill Name: skill-security-scanner-clean Version: 1.0.0 This skill bundle is a security scanner designed to detect malicious and suspicious patterns in other OpenClaw skills. The code (`scripts/install_guard.py`, `scripts/security_scanner.py`) itself does not exhibit any malicious behavior. It performs static analysis by reading skill files, identifying dangerous functions, network calls, file operations, and environment variable access patterns. The `SKILL.md` provides clear documentation for the scanner's purpose and usage, without any prompt injection attempts against the AI agent. File operations are limited to reading scanned files and writing a security report within the scanned skill's directory. No evidence of data exfiltration, unauthorized execution, persistence, or obfuscation within the scanner's own code was found.
Capability Assessment
Purpose & Capability
Name/description match the included files: SKILL.md, scripts/security_scanner.py, and an install guard. The scanner implements pattern-based detection for eval/exec, network calls, file ops, env access, obfuscation, etc., which is appropriate for a security scanner. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md and scripts instruct the agent/human to run the scanner against a skill directory and to incorporate it into install workflows. That is within scope. Notes: (1) Detection rules explicitly flag some legitimate hosting services and IP literals (e.g., gist.github.com, drive.google.com, dropbox.com, raw IPs), which is an overbroad heuristic that will cause false positives in otherwise legitimate skills. (2) Some regexes (e.g., obfuscation patterns) are coarse and may trigger on large/minified legitimate files. (3) The install_guard will save a .security_scan_report.json into the scanned skill directory (which is useful but adds an artifact to the scanned path).
Install Mechanism
There is no install spec; this is effectively an instruction + code bundle. No remote downloads, package managers, or archive extractions are performed by the skill itself. Code files are present in the package and executed locally; that is expected for this tool.
Credentials
The skill declares no required environment variables, no credentials, and no privileged config paths. The scanner code does look for environment-accessing patterns in scanned code (appropriate for its purpose) but does not itself attempt to read the host environment or request secrets.
Persistence & Privilege
The skill does not request permanent 'always' presence and uses normal model invocation. It will write a .security_scan_report.json into the scanned skill directory when run via the install_guard, which is reasonable for an audit tool but worth knowing (artifact persistence). It does not modify other skills' configs or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-security-scanner-clean
  3. After installation, invoke the skill by name or use /skill-security-scanner-clean
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skill-security-scanner: - Introduces a static security scanner for OpenClaw skills detecting backdoors, suspicious code, data exfiltration, and vulnerabilities. - Analyzes Python, JavaScript, and Shell code for code execution threats, network requests, file operations, credential access, obfuscation, and more. - Assigns a security score and clear verdict (PASS, REVIEW, WARNING, REJECT) with actionable recommendations. - Provides CLI usage modes including strict scanning and report generation in JSON or Markdown. - Details detection rules, integrating common patterns and threat signatures for comprehensive auditing. - Includes best practices, workflow guidance, and integration examples to ensure safe skill installation and updates.
Metadata
Slug skill-security-scanner-clean
Version 1.0.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is skill-security-scanner-clean?

Security scanner for OpenClaw skills. Use when installing, updating, or auditing skills to detect malicious backdoors, suspicious code patterns, data exfiltr... It is an AI Agent Skill for Claude Code / OpenClaw, with 398 downloads so far.

How do I install skill-security-scanner-clean?

Run "/install skill-security-scanner-clean" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is skill-security-scanner-clean free?

Yes, skill-security-scanner-clean is completely free (open-source). You can download, install and use it at no cost.

Which platforms does skill-security-scanner-clean support?

skill-security-scanner-clean is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created skill-security-scanner-clean?

It is built and maintained by RUI LIU (@cookiemikeliu); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments