ClawHub

SkillGuard by Farnwick

v1.0.0

AI-powered security scanner for OpenClaw skills. Scans skill files for credential theft, data exfiltration, reverse shells, obfuscation, and other threats be...

0· 554·0 current·0 all-time
by@farnwickarglefax
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match behavior: the tool collects skill files, analyzes them with an LLM, reports risk, and optionally runs clawhub to install. Required binary (python3) and scan targets (/usr/lib..., ~/.openclaw/...) align with the stated purpose.
Instruction Scope
SKILL.md and code instruct scanning installed skills and local paths and explicitly run python3 skillguard.py install/audit/scan. The scanner sends collected file contents to external LLM providers (Anthropic/OpenRouter/DeepSeek) or uses the local openclaw agent — this is necessary for its analysis but means skill files (which can contain secrets) are transmitted to configured LLM backends; the SKILL.md documents this.
Install Mechanism
No install spec; code is included and runs locally. No remote downloads or archive extraction are performed by the skill itself, lowering install risk.
Credentials
The skill reads OpenClaw auth profiles (~/.openclaw/agents/main/agent/auth-profiles.json) to obtain LLM API keys and may invoke openclaw CLI. SKILL.md documents the need for an LLM API key in OpenClaw, but registry metadata does not declare a primary credential or required env vars — a small metadata mismatch worth noting.
Persistence & Privilege
always:false and it does not request permanent presence or modify other skills. It invokes subprocesses and may call openclaw agent --local to obtain LLM responses; this is appropriate for its function.
Assessment
This skill appears to do what it claims: it collects skill files and sends them to your configured LLM backend for analysis and can scan installed skill directories. Before installing or running: 1) Verify you trust the LLM provider(s) configured in OpenClaw, because scanned files (which might include secrets or credentials in SKILL.md or scripts) will be transmitted to those services. 2) Confirm you are comfortable SkillGuard reading the OpenClaw auth-profiles file (~/.openclaw/agents/main/agent/auth-profiles.json) to retrieve API tokens. 3) Note the registry metadata does not declare a primary credential even though the tool needs an LLM key in OpenClaw — consider this a minor mismatch. 4) Optionally review skillguard.py yourself (it is included) to confirm it does not exfiltrate scans to any endpoint other than the configured LLMs or call unexpected external servers. If you accept those behaviors, SkillGuard is reasonable to use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
Binspython3
latestvk976h7q5hdz9039hjt0ym79jwn81ah0w
554downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@farnwickarglefax
latest
Download

SkillGuard 🛡️

AI-powered security scanner for OpenClaw skills. Analyzes skill code for malicious behaviour before you install it.

Commands

Scan before install (recommended)

skillguard install <skill-name>

Downloads the skill to a temp directory, runs AI security analysis, shows verdict, then asks for confirmation before installing via clawhub.

Example:

skillguard install my-new-skill

Audit installed skills

skillguard audit

Scans all skills in /usr/lib/node_modules/openclaw/skills/, ~/.openclaw/workspace/skills/, and ~/.openclaw/skills/. Prints a table summary with details on any flagged skills.

Scan a local path

skillguard scan <path>

Scan any local skill directory without installing. Useful for reviewing skills you've already downloaded or developed locally.

Example:

skillguard scan ./my-skill-folder
skillguard scan /usr/lib/node_modules/openclaw/skills/some-skill

Risk Levels

LevelMeaning
✅ CLEANNo security issues detected
🟡 LOWMinor concerns, generally safe
⚠️ MEDIUMReview recommended before installing
🚨 HIGHDangerous — do not install without careful manual review

What Gets Checked

  • Credential theft: Reads to ~/.ssh/, ~/.openclaw/, API keys, .env files
  • Data exfiltration: curl/wget/fetch POSTing data to external servers
  • Reverse shells: netcat, bash TCP redirects, socat to external IPs
  • Privilege escalation: sudo abuse, setuid bits, writing to /etc/
  • Persistence: cron installs, systemd units, .bashrc modifications
  • Obfuscation: base64-piped-to-bash, eval with dynamic content
  • Package smuggling: undisclosed npm/pip installs
  • Reconnaissance: network scanning, system info harvesting

Usage by the AI Agent

When the user asks to install a skill, use skillguard first:

python3 /root/.openclaw/workspace/skills/skillguard/skillguard.py install <skill-name>

When the user asks to check their installed skills for security issues:

python3 /root/.openclaw/workspace/skills/skillguard/skillguard.py audit

When the user asks to check a specific local skill directory:

python3 /root/.openclaw/workspace/skills/skillguard/skillguard.py scan /path/to/skill

Output Examples

Clean skill:

✅ SkillGuard: good-skill — Clean. Installing...

Flagged skill:

🚨 SkillGuard: bad-skill — Risk: HIGH
   Reads /root/.openclaw/*.json and POSTs to external IP.

   [HIGH] Data Exfiltration: curl POST of ~/.openclaw/openclaw.json to 45.33.32.156 [scripts/init.sh:14-22]
   [MEDIUM] Credential Theft: Reads ~/.ssh/id_rsa without disclosure [scripts/setup.sh:8]

Install bad-skill anyway? (type YES to confirm)

Requirements

  • Python 3.6+
  • An Anthropic, OpenRouter, or DeepSeek API key configured in OpenClaw
  • clawhub CLI (for install command only)

Notes

  • Binary files are automatically skipped
  • Files larger than 100KB are truncated before analysis
  • Analysis uses Claude Opus (or best available model) for maximum accuracy
  • The scan itself is safe — skills are text files, not executed during scanning

Comments

Loading comments...