ClawHub

Skulk Skill Scanner

v1.0.1

Scan OpenClaw skill folders for security red flags before installing or publishing. Detects data exfiltration, credential theft, prompt injection, destructiv...

0· 763·5 current·5 all-time
byAda Vale@adainthelab
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md usage, and the included scripts/scanner.js are consistent: the tool is a static analyzer for skill folders and does only file-reading and pattern-matching. It does not request unrelated credentials, binaries, or system privileges.
Instruction Scope
SKILL.md limits runtime actions to running node scripts/scanner.js against a skill folder and describes the scanner's detection categories. This stays within the stated purpose. One design note: the scanner defaults to ignoring its own scripts (shouldIgnore excludes scripts/scanner.js unless --include-self is used), which reduces self-noise but can hide issues in the scanner itself unless the user intentionally self-scans.
Install Mechanism
There is no install spec and no downloads; the skill is instruction-only with a bundled script. Nothing writes new binaries or pulls external code during install — lowest-risk install model.
Credentials
The skill requires no environment variables or external credentials. The scanner looks for environment-variable usage patterns in target skills (e.g., process.env) but does not itself read the host environment. The hardcoded SAFE_DOMAINS allowlist is a policy choice — it can cause false negatives for otherwise benign domains or false negatives for suspicious domains if the list is overly permissive; changing it requires editing the script.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or agent configuration. It runs when invoked by the user and has no autonomous background behavior.
Assessment
This scanner appears to be what it claims: a static pattern-based skill scanner. Before trusting its results, run it in a sandbox or on a copy of the skill directory (not on system roots), and: (1) run it with --include-self to self-audit the scanner; (2) manually review any FAIL/WARN findings (static checks produce false positives and false negatives); (3) inspect and if needed customize SAFE_DOMAINS to match your environment; (4) remember it is static-only — it cannot detect runtime-generated exfiltration or sophisticated obfuscation, so follow up with manual review and, for high-risk skills, runtime monitoring in an isolated environment prior to granting sensitive credentials or deployment.

Like a lobster shell, security has layers — review code before you run it.

auditvk979g4aj6k67has0jcm5hj8r1581h2r7latestvk977mq617x2r58kwpv4f1tvrwd81hfz9safetyvk979g4aj6k67has0jcm5hj8r1581h2r7scannervk979g4aj6k67has0jcm5hj8r1581h2r7securityvk979g4aj6k67has0jcm5hj8r1581h2r7supply-chainvk979g4aj6k67has0jcm5hj8r1581h2r7
763downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Ada Vale@adainthelab
auditlatestsafetyscannersecuritysupply-chain
Download

Skill Scanner

Security scanner for OpenClaw agent skills. Static analysis for red flags.

Usage

node scripts/scanner.js <path-to-skill> [--verbose] [--json] [--summary] [--ignore <path>] [--include-self]

Examples

# Scan a downloaded skill folder before enabling it
clawhub inspect some-skill
node scripts/scanner.js ./skills/some-skill --verbose

# Scan your own skill before publishing
node scripts/scanner.js ./skills/my-skill

# JSON output for automation
node scripts/scanner.js ./skills/my-skill --json

# One-line summary output for heartbeat checks
node scripts/scanner.js ./skills/my-skill --summary

# Include scanner internals (off by default to reduce self-scan noise)
node scripts/scanner.js ./skills/skulk-skill-scanner --include-self

What It Catches

SeverityFlags
🔴 CriticalData exfiltration, credential access, safety overrides, destructive commands
🟠 HighObfuscation (base64/eval), unknown network access, env scanning, privilege escalation, hidden instructions
🟡 MediumWrites outside workspace, package installs (supply chain), messaging on user's behalf, persistent timers/automation
🔵 InfoAPI key references, broad tool access requests

Scoring

  • Each unique rule deducts points: critical=30, high=15, medium=5, info=0
  • Score 75-100: ✅ PASS
  • Score 50-74: ⚠️ WARN
  • Score 0-49 or any critical: ❌ FAIL
  • Exit code 1 on FAIL (CI-friendly)

Safe Domain Allowlist

Known legitimate API domains are allowlisted to reduce false positives on network-related rules. Edit the SAFE_DOMAINS array in scripts/scanner.js to customize.

Limitations

This is static pattern matching — it catches obvious and moderately obfuscated attacks but cannot detect:

  • Sophisticated multi-step social engineering
  • Runtime-generated URLs or dynamic exfiltration
  • Attacks that look identical to legitimate skill behavior

It's a first line of defense, not a guarantee. Always review skills manually before granting sensitive access.

Comments

Loading comments...