ClawHub

SkillGuard Hardened

v1.0.5

Security guard for OpenClaw skills, developed and maintained by rose北港(小红帽 / 猫猫帽帽). Audits installed or incoming skills with local rules plus Zenmux AI inten...

0· 269·1 current·1 all-time
by@2404589803
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim a skill-auditor and the package contains static analysis, AI-audit, reporting, and remediation code that matches that purpose. Requiring python3 and a Zenmux API key is coherent. Minor oddities: SKILL.md mentions remote updates from moltbook.com and fluxapay.xyz (fluxapay.xyz is an unexpected host for a guard tool) and the human-readable SKILL.md documents an absolute default report path (/root/clawd/...) that doesn't match the policy placeholders used by the code (which render paths from the workspace). These should be verified but do not by themselves contradict the stated purpose.
Instruction Scope
SKILL.md and the scripts direct the agent to scan skill directories, run guarded execution wrappers, and perform quarantine/restore/delete actions — all within the declared purpose. The instructions include commands that fetch or install skills (npx-add, moltbook-install) and a guarded exec wrapper that will invoke untrusted code via subprocess; this is expected for an install-gate but expands the skill's runtime surface (network fetch + executing wrapped binaries). Confirm the guarded execution flow does not blindly execute remote content without verification.
Install Mechanism
There is no external install spec (instruction-only install behavior); the package contains Python scripts and no download/install step is required by the skill itself. This is the lower-risk model for a code-included skill.
Credentials
Only ZENMUX_API_KEY (and optional model override envs) are required for AI auditing. The code reads a few alternate env var names as fallbacks and optional model/base-url overrides. That level of credential access is proportional to an AI-backed auditing tool; there are no unrelated cloud credentials requested.
Persistence & Privilege
The skill modifies filesystem state (move to quarantine, delete with shutil.rmtree, write reports/audit logs). Those privileges are necessary for remediation but are high-impact. The policy enforces allowed roots and the code asserts operations stay within those allowed roots, which mitigates risk — still, deletion is possible and must be guarded by the operator flags described in SKILL.md.
Scan Findings in Context
[ignore-previous-instructions] expected: A prompt-injection phrase was detected in SKILL.md. Given this project is explicitly scanning for prompt-injection and documents examples, the presence of such text is likely illustrative/test content rather than an attempt to hijack the evaluator, but you should still inspect the exact occurrences to confirm they're only examples or detection rules.
Assessment
SkillGuard is broadly coherent: it legitimately needs python3 and an AI key, and the code implements scanning, AI-based intent checks, reporting, and quarantining. Before installing: 1) Verify the Zenmux provider and limit the privileges of the ZENMUX_API_KEY (use a scoped key if possible). 2) Inspect guarded_flow.py and manage_skill.py to confirm they enforce the --force/--yes delete confirmations and do not blindly execute remote content fetched via npx/curl/wget. 3) Validate the remote-update hosts (moltbook.com and fluxapay.xyz); confirm they are official/trusted sources for policy/manifest updates or remove/unconfigure remote updates. 4) Confirm the configured allowed_roots/quarantine/report directories map to a workspace you control (avoid unexpected absolute paths like /root/clawd unless that is intended). 5) Run the skill in an isolated test environment first and review logs/reports to ensure remediation actions behave as described. If you are concerned about autonomous invocation, do not grant the agent permission to call this skill automatically until you have tested it.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
Binspython3
EnvZENMUX_API_KEY
Primary envZENMUX_API_KEY
auditvk9739y3fqm3jcahfm96hf8593982zbjccompliancevk97b9002f8k9amv2dt0ap84qc982we6hdeepseekvk97b9002f8k9amv2dt0ap84qc982we6hlatestvk9739y3fqm3jcahfm96hf8593982zbjcremediationvk97b9002f8k9amv2dt0ap84qc982we6hsecurityvk9739y3fqm3jcahfm96hf8593982zbjcskillvk9739y3fqm3jcahfm96hf8593982zbjc
269downloads
0stars
6versions
Updated 1mo ago
v1.0.5
MIT-0
@2404589803
auditcompliancedeepseeklatestremediationsecurityskill
Download

小红帽 / 猫猫帽帽 / rose北港 SkillGuard (Hardened)

SkillGuard is a native security defense line for the OpenClaw skill ecosystem. It detects suspicious behavior before installing, updating, or executing skills, as well as during routine inspections. It provides controlled remediation actions such as quarantine, restore, and forced deletion. (SkillGuard 是面向 OpenClaw 技能生态的原生安全防线,用来在技能安装前、更新前、执行前,以及日常巡检时发现可疑行为,并提供隔离、恢复与强制删除等受控处置动作。)

Security Transparency & Disclosures (安全透明度与披露)

[!NOTE] SkillGuard is a high-privilege security tool. To protect your system, it requires certain capabilities that might be flagged by general scanners:

  • File Remediation: Uses shutil.rmtree to permanently delete malicious skills only when explicitly confirmed with --force --yes.
  • Guarded Execution: Uses subprocess.run to execute skills within a monitored wrapper.
  • Remote Updates: Downloads latest security policies and official skill manifests from trusted domains only (moltbook.com, fluxapay.xyz).
  • Clean Package: As of v1.0.2, all malicious test fixtures have been removed from the distribution package and are now generated dynamically during local testing only.

What It Does (功能说明)

  • Scans skill directories located under skills/ and .skills/. (扫描 skills/.skills/ 下的技能目录。)
  • Uses local static rules to identify high-risk behaviors, sensitive access, persistence, obfuscation, and prompt injection. (用本地静态规则识别高危行为、敏感访问、持久化、混淆与提示词注入。)
  • Uses Zenmux Claude for semantic-level intent auditing, identifying deviations between "declared capabilities" and "actual behavior". (用 Zenmux Claude 做语义级意图审计,识别“声明能力”和“实际行为”之间的偏移。)
  • Outputs structured JSON reports for easy consumption by other Agents or automated flows. (输出结构化 JSON 报告,便于其他 Agent 或自动化流程消费。)
  • Supports isolation (quarantine) and restoration by default, and never physically deletes skills without explicit confirmation. (默认支持隔离与恢复,不会在没有显式确认的情况下直接物理删除技能。)

Commands (指令)

Full Audit (全量审计)

python3 {baseDir}/scripts/scan_skills.py scan
python3 {baseDir}/scripts/scan_skills.py scan --root /root/clawd/skills --root /root/clawd/.skills
python3 {baseDir}/scripts/scan_skills.py --format json scan
python3 {baseDir}/scripts/scan_skills.py scan --auto-remediate quarantine
python3 {baseDir}/scripts/scan_skills.py scan --auto-remediate delete --force --yes

Install Gate (安装门禁)

python3 {baseDir}/scripts/scan_skills.py check-install /path/to/incoming-skill

Update Gate (更新门禁)

python3 {baseDir}/scripts/scan_skills.py check-update /path/to/updated-skill

Pre-Execution Gate (执行前门禁)

python3 {baseDir}/scripts/scan_skills.py check-exec /path/to/skill
python3 {baseDir}/scripts/guarded_flow.py exec --skill-root /path/to/skill -- bash /path/to/skill/scripts/run.sh

Guarded Install / Update Flows (守卫安装/更新流)

python3 {baseDir}/scripts/guarded_flow.py npx-add owner/repo@skill -g -y
python3 {baseDir}/scripts/guarded_flow.py npx-update
python3 {baseDir}/scripts/guarded_flow.py moltbook-install
python3 {baseDir}/scripts/guarded_flow.py moltbook-update

Quarantine / Restore / Delete (隔离/恢复/删除)

python3 {baseDir}/scripts/manage_skill.py quarantine suspicious-skill --reason "manual review"
python3 {baseDir}/scripts/manage_skill.py restore suspicious-skill
python3 {baseDir}/scripts/manage_skill.py list
python3 {baseDir}/scripts/manage_skill.py delete suspicious-skill --force --yes
python3 {baseDir}/scripts/manage_skill.py clean suspicious-skill
python3 {baseDir}/scripts/manage_skill.py disinfect suspicious-skill --action delete --force --yes

Exit Codes (退出状态码)

  • 0: No block policies matched in this check. (本次检查未命中阻断策略。)
  • 1: Block policy hit, or management action failed. (命中阻断策略,或管理动作失败。)

Report Output (报告输出)

Default JSON reports are written to: (默认 JSON 报告写入:)

/root/clawd/output/skillguard/reports/

Quarantine state and audit logs are written to: (隔离态与审计日志写入:)

/root/clawd/output/skillguard/quarantine/
/root/clawd/output/skillguard/audit.log

Safety Model (安全模型)

  • The default behavior acts as a 4-level recommendation (PASS / WARN / BLOCK / QUARANTINE) and will not delete automatically. (默认行为是 PASS / WARN / BLOCK / QUARANTINE 四级建议,不会自动删除。)
  • Deletion (delete) requires explicit flags --force --yes. (delete 必须显式传入 --force --yes。)
  • clean / disinfect scan a skill first, then quarantine or delete it based on the resulting recommendation. (clean / disinfect 会先扫描,再按风险结果自动隔离或删除技能。)
  • scan --auto-remediate upgrades bulk scanning into bulk quarantine/delete, and defaults to acting on BLOCK / QUARANTINE. (scan --auto-remediate 可把批量扫描升级为批量查杀,默认只处置 BLOCK / QUARANTINE。)
  • Remediation actions only take effect within whitelisted skill root directories or SkillGuard's quarantine directory. (处置动作只允许在白名单技能根目录或 SkillGuard 的隔离目录内生效。)
  • The Zenmux API Key is never hardcoded; it must be provided via environment variables: (Zenmux Key 不写死在代码里,需通过环境变量提供:)
    • ZENMUX_API_KEY
    • Optional model override: ZENMUX_MODEL

Notes (注意事项)

  • If the Zenmux API Key is not configured, SkillGuard will fallback to local rule mode and note in the report that AI auditing is not enabled. (如果没有配置 Zenmux Key,SkillGuard 会退回本地规则模式,并在报告里写明 AI 审计未启用。)
  • Suitable as a pre-security checker for skill marketplaces, skill installers, or Agent schedulers. (适合作为技能市场、技能安装器、Agent 调度器的前置安全检查器。)
  • guarded_flow.py is used to integrate SkillGuard into real installation, update, and execution workflows. (guarded_flow.py 用于把 SkillGuard 接入真实安装、更新和执行流程。)

Comments

Loading comments...