ClawSec Audit
/install clawsec-audit
⚡ ClawSec
Security verification for ClawHub skills. Scan any skill -- by ClawHub slug or local path -- against 9 continuously-updated threat intelligence sources using 7 autonomous security checks.
When to use
Use ClawSec before installing a skill from ClawHub to verify it is safe. Also use it when developing your own skills -- scan before publishing to catch issues early.
Quick start
clawsec scan weather-forecast # Scan by ClawHub slug (downloads, scans, cleans up)
clawsec scan ./my-skill # Scan a local skill directory
clawsec scan ./my-skill --checks dep-scan,secret-scan # Run specific checks only
clawsec scan ./my-skill --json # JSON output for programmatic use
First run sets up a Python venv and syncs threat intel automatically. After that, clawsec scan works with zero configuration.
Parameters
When an agent invokes this skill through OpenClaw:
- target (required) -- Local directory path or ClawHub skill slug (e.g.
weather-forecast). If a slug is given, the skill is downloaded to a sandboxed temp directory, scanned, and removed. - checks (optional) -- Comma-separated list:
dep-scan,static-analysis,secret-scan,yara-scan,ioc-match,behavioral,prompt-inject. Default: all 7. - json (optional) -- Output results as JSON for programmatic use.
Output
ClawSec returns a structured report with:
- verdict --
pass,warn, orfail - findings -- Array of issues, each with severity (
critical,high,medium), description, and file location - report_id -- Full UUID for later retrieval via
clawsec report \x3Cid>
Exit codes: 0 = pass, 1 = warn, 2 = fail
Checks
| Check | What it does |
|---|---|
| dep-scan | Cross-references dependencies against CISA KEV and OSV databases |
| static-analysis | Runs Semgrep rules for security anti-patterns |
| secret-scan | Scans for hardcoded API keys, tokens, and credentials using Gitleaks |
| yara-scan | Matches files against YARA rules for malware patterns |
| ioc-match | Matches IPs, domains, URLs, and file hashes against ThreatFox, URLhaus, MalwareBazaar, and Feodo Tracker |
| behavioral | Detects eval usage, shell injection, data exfiltration vectors, DNS tunneling |
| prompt-inject | Detects prompt injection and instruction-hiding patterns in SKILL.md |
Threat intel sources (9)
CISA KEV, OSV (npm + PyPI), EPSS, MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker, YARA Rules, Semgrep Rules
Run clawsec sync to refresh the intel cache. First clawsec scan auto-syncs if no cache exists.
Security and Privacy
- No data leaves your machine. All scanning is local. No telemetry, no phone-home, no analytics.
- Slug scans are sandboxed. Downloaded skills go to a 0700 temp directory with execute bits stripped and npm scripts suppressed. Cleaned up after scanning.
- During scan, zero network requests. All intel is read from the local cache.
- During sync, only public threat intel feeds are contacted. No skill code or scan targets are ever transmitted externally.
Local files
- Read:
~/.clawsec/intel/(threat intel cache), skill directory passed as target - Written:
~/.clawsec/intel/,~/.clawsec/reports/,~/.clawsec/venv/,~/.clawsec/clawsec.log - First
clawsec sync(or auto-sync) downloads approximately 50–100 MB of threat intel data
Install
npm install -g @lowwattlabs/clawsec
Or let OpenClaw install it via the skill install spec above.
License
MIT-0
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawsec-audit - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawsec-audit触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
ClawSec Audit 是什么?
Scan ClawHub skills for security vulnerabilities before installing -- 9 threat intel sources, 7 autonomous checks, slug or local path scan. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 85 次。
如何安装 ClawSec Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawsec-audit」即可一键安装,无需额外配置。
ClawSec Audit 是免费的吗?
是的,ClawSec Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ClawSec Audit 支持哪些平台?
ClawSec Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ClawSec Audit?
由 jchandler187(@jchandler187)开发并维护,当前版本 v2.4.1。