skill shield

AI Agent Skill Security Scanner - Detect malicious skills, verify signatures, analyze permissions, and provide trust ratings for the agent ecosystem. Protect...

This package appears to implement a legitimate local skill scanner, but it contains surprising external-integration code you should not run blindly. Key points to consider before installing or running: 1) upload_to_moltbook.py has a hard-coded Moltbook API token — treat that as sensitive and potentially active; do not run the uploader unless you trust the token and endpoint. 2) The guardian/monitor will query and (intended) post to an external service — run only in a sandbox and inspect network calls first. 3) The skill metadata declares no required env vars but the code uses MOLTBOOK_API_KEY; confirm what keys will actually be used and rotate/revoke any embedded tokens. 4) Review scripts for any code paths that read or post local filesystem information (the uploader's post content references local paths). 5) Prefer running the scanner with read-only access to a copy of the skill repository, or inspect/grep the code first (search for 'MOLTBOOK', 'API_KEY', 'create_post', 'urlopen', 'urllib.request'). If you need the scanner but not the network behavior, remove or disable the Moltbook-related scripts before use.

Type: OpenClaw Skill Name: skillshieldskill Version: 1.0.0 thought The user wants me to analyze a set of files for an OpenClaw AgentSkill bundle named "SkillShield". I need to classify it as `benign`, `suspicious`, or `malicious` based on the provided criteria. - `_meta.json`: Metadata about the skill. - `SKILL.md`: Instructions for the AI agent, including triggers and usage examples. - `scripts/moltbook_guardian.py`: A script to monitor "Moltbook" for new skills and scan them. - `scripts/publish.py`: A script to help publish the skill. - `scripts/skillshield.py`: The core logic for scanning other skills for security issues. - `scripts/upload_to_moltbook.py`: A script to upload a post about SkillShield to Moltbook. - `README.md`: Documentation. - `ownerId`: `kn74hx92ap9qnkqd2dep1bg8xd81whhb` - `slug`: `skillshieldskill` - `version`: `1.0.0` - Description: AI Agent Skill Security Scanner. - Triggers: `skillshield`, `scan skill`, etc. - Usage: Shows how to run `skillshield.py`. - Mentions `moltbook_guardian.py` for monitoring. - Seems aligned with the stated purpose. - Purpose: Monitor Moltbook API for new skills. - `MOLTBOOK_API = "https://www.moltbook.com/api/v1"` - `API_KEY = os.environ.get('MOLTBOOK_API_KEY', '')` - `get_recent_posts`: Fetches posts from the API. - `check_for_skill_posts`: Filters posts for skill-related keywords. - `generate_security_comment`: Formats a report. - `monitor`: Loop that fetches posts and (eventually) scans them. - Note: `scan_skill_by_url` and `post_comment` are placeholders (`pass` or `TODO`). - This script seems like a legitimate utility for the stated purpose. - Purpose: Helper for publishing. - Checks for required files. - Runs a self-scan using `skillshield.py`. - Provides instructions for publishing via CLI or GitHub. - Seems benign. - This is the core logic. - It defines patterns for sensitive files (`.ssh`, `.aws`, `.env`, etc.), dangerous commands (`os.system`, `exec`, `eval`), and suspicious patterns (`base64`, `webhook`, etc.). - `scan` method: Walks a directory, reads files, and checks against these patterns. - `_check_network_requests`: Extracts URLs and domains. Flags suspicious domains (webhook, pastebin, etc.). - `_check_data_exfiltration`: Specifically looks for the combination of reading env vars and sending HTTP requests. - `_calculate_rating`: Assigns a grade (A+ to F). - `format_report`: Generates a text report. - This is a static analysis tool. While it uses `subprocess.run` in `publish.py` to call itself, the scanner itself doesn't seem to execute the code it scans (it reads it as text). - Purpose: Posts an announcement to Moltbook. - `API_KEY = os.environ.get('MOLTBOOK_API_KEY', 'moltbook_sk_JMb6t_WI-xq7SQapbAYXF9BFBPuXBuuM')` - **Wait, there's a hardcoded API key here.** - `moltbook_sk_JMb6t_WI-xq7SQapbAYXF9BFBPuXBuuM` - Is this a real key or a placeholder? It looks like a specific key format. - However, the script's purpose is to upload *to* Moltbook. Hardcoding a key in a "publisher" script is a bad practice (vulnerability/suspicious) but not necessarily malicious unless it's stealing something. - The content being posted is a promotional text for SkillShield. - Standard documentation. - The tool is a security scanner. It naturally looks for sensitive patterns. - It doesn't seem to exfiltrate data *itself* (except for the intended behavior of posting reports to Moltbook if configured). - The hardcoded API key in `upload_to_moltbook.py` is a security flaw (credential exposure), but it's the author's own key (presumably) or a dummy key for the platform they are targeting. - The `SKILL.md` doesn't contain prompt injection instructions to subvert the agent. - The logic in `skillshield.py` is purely regex-based static analysis. - Hardcoded API key: `moltbook_sk_JMb6t_WI-xq7SQapbAYXF9BFBPuXBuuM` in `scripts/upload_to_moltbook.py`. - Use of `subprocess` and `os.system` patterns (though the scanner flags these in *other* code, it doesn't use them maliciously itself). - The tool is designed to scan other skills, which involves reading files and potentially accessing network resources (though the current implementation of `moltbook_guardian.py` is mostly placeholders for the actual download/scan part). - Is there evidence of intentional harm? - The tool claims to be a security scanner. The code matches that description. - The hardcoded key is a vulnerability (credential leak), not a malicious "stealer". - No evidence of exfiltration of the *user's* data to an attacker-controlled server (the Moltbook API is the stated integration target). The skill is a security tool. It has a hardcoded API key in a helper script, which is a vulnerability. It performs static analysis on other files. There is no clear evidence of malicious intent. Classification: `suspicious` (due to the hardcoded API key and the broad file-reading nature of a scanner, which is a high-risk capability, even if intended for good). Wait, the instructions say: "Classify vulnerabilities... as 'suspicious', NOT 'malicious'". Let's re-evaluate `benign` vs `suspicious`. - Benign: "behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." - Suspicious: "risky capabilities without clear malicious intent (e.g., shell/network/file access plausibly needed for the stated purpose...)" A security scanner *needs* file access. However, the hardcoded API key in `upload_to_moltbook.py` is a significant security oversight. Also, the `moltbook_guardian.py` script is designed to interact with an external API. Given the hardcoded credential and the nature of the tool (scanning/reading all files in a directory), `suspicious` is the safest and most accurate classification according to the prompt's rules. - Classification: suspicious - Summary: The skill is a security scanner that performs static analysis on other skills. While its functionality aligns with its stated purpose, it contains a hardcoded API key (`moltbook_sk_JMb6t_WI-xq7SQapbAYXF9BFBPuXBuuM`) in `scripts/upload_to_moltbook.py`, which is a significant security vulnerability. Additionally, the `scripts/moltbook_guardian.py` and `scripts/skillshield.py` scripts require broad file system access and network capabilities to function, which are high-risk behaviors. Wait, the prompt says: "benign only if behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." Is a security scanner's file access "meaningful high-risk"? Yes. Is the hardcoded key a "vulnerability"? Yes. Therefore, `suspicious`. One more check: Is the hardcoded key a "canary" or a "trap"? It looks like a functional key for `moltbook.com`. Final check on `SKILL.md`: "AI Agent Skill Security Scanner - Detect malicious skills... Protects against credential stealers..." The instructions are standard for an agent. No prompt injection detected. The classification `suspicious` fits best because of the vulnerability and the high-privilege nature of the tool. ```json { "classification": "suspicious", "summary": "The SkillShield bundle is a security scanner that uses regex-based static analysis to detect malicious patterns in other skills. While its logic appears aligned with its stated purpose, it contains a hardcoded API key in `scripts/upload_to_moltbook.py` (`moltbook_sk_JMb6t_WI-xq7SQapbAYXF9BFBPuXBuuM`), which is a significant security vulnerability. The tool's requirement for broad file system access and network communication with the Moltbook API constitutes high-risk behavior." } ``` ```json { "classification": "suspicious", "summary": "The SkillShield bundle is a security scanner designed to perform static analysis on other AI agent skills. While the core logic in `scripts/skillshield.py` appears aligned with its stated purpose of detecting malicious patterns, the bundle contains a hardcoded API key in `scripts/upload_to_moltbook.py` (`moltbook_sk_JMb6t_WI-xq7SQapbAYXF9BFBPuXBuuM`), which is a significant security vulnerability. Additionally, the tool's inherent need for broad file system access and its integration with the Moltbook API (via `scripts/moltbook_guardian.py`) represent high-risk capabilities that warrant caution." } ```