⚡ SafeInstall

SafeInstall is a local-first security scanner for ClawHub skills. It runs 7 autonomous checks against 9 live threat intelligence feeds and returns a structured verdict -- pass, warn, or fail -- before you install.

Unlike instruction-card security skills that tell agents what to look for, SafeInstall actually runs the checks: dependency lookups against CISA KEV and OSV, credential scanning with Gitleaks, malware pattern matching with YARA, IOC matching against ThreatFox/URLhaus/MalwareBazaar/Feodo, behavioral analysis for eval and injection patterns, and prompt injection detection in SKILL.md files.

All scanning is offline. No telemetry. No phone-home. No data leaves your machine.

When to use

• Before installing a skill from ClawHub -- verify it is safe
• Before publishing your own skills -- catch issues early
• When reviewing skills for your team or organization
• As part of CI/CD or pipeline validation
• When you want to verify a skill is safe before trusting it with your environment
• Any time an agent encounters an untrusted skill and needs a security check

Quick start

safeinstall scan weather-forecast        # Scan by ClawHub slug
safeinstall scan ./my-skill              # Scan a local skill directory
safeinstall scan ./my-skill --checks dep-scan,secret-scan
safeinstall scan ./my-skill --json       # JSON output for pipelines

First run sets up a Python venv and syncs threat intel automatically. After that, scanning works with zero configuration.

How it works

SafeInstall downloads the skill to a sandboxed 0700 temp directory, strips execute bits from all files, suppresses npm install scripts, runs all enabled checks against the local intel cache, produces a structured JSON report with findings, and cleans up the downloaded skill.

Exit codes: 0 = pass, 1 = warn, 2 = fail

Checks

Threat intel sources (9)

CISA KEV, OSV (npm + PyPI), EPSS, MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker, YARA Rules, Semgrep Rules

Run clawsec sync to refresh the intel cache. First scan auto-syncs if no cache exists.

Parameters

When an agent invokes this skill through OpenClaw:

• target (required) -- Local directory path or ClawHub skill slug. If a slug is given, the skill is downloaded to a sandboxed temp directory, scanned, and removed.
• checks (optional) -- Comma-separated list: dep-scan, static-analysis, secret-scan, yara-scan, ioc-match, behavioral, prompt-inject. Default: all 7.
• json (optional) -- Output results as JSON for programmatic use.

Security and Privacy

• No telemetry, no phone-home, no analytics. All scanning is local.
• During scan, zero network requests. All intel is read from the local cache.
• During sync, only public threat intel feeds are contacted. No skill code or scan targets are ever transmitted externally.
• Slug scans are sandboxed: 0700 temp dir, execute bits stripped, npm scripts suppressed, cleaned up after scanning.

Local files

• Read: ~/.clawsec/intel/ (threat intel cache), skill directory passed as target
• Written: ~/.clawsec/intel/, ~/.clawsec/reports/, ~/.clawsec/venv/, ~/.clawsec/clawsec.log
• First sync downloads approximately 50-100 MB of threat intel data

Install

npm install -g @lowwattlabs/clawsec

Or let OpenClaw install it via the skill install spec above.

License

MIT-0