ClawHub

Agent Audit Scanner

v0.1.0

Security scanner for OpenClaw skills. Detects prompt injection, credential leaks, unsafe code execution, MCP misconfigurations, privilege escalation, obfusca...

1· 290·0 current·0 all-time
byHeady@headyzhang
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (security scanner for OpenClaw skills) aligns with required binaries (python3), declared file_reads (~/.openclaw/skills/** and ~/.openclaw/openclaw.json) and the bundled scripts which discover and scan skill directories. Reading those paths is expected for this purpose.
Instruction Scope
SKILL.md and bundled scripts instruct the agent to read all managed/workspace skills and the OpenClaw config, run the bundled Python scripts, and invoke the external 'agent-audit' CLI. All of these are within scope for a scanner, but the instructions also tell the agent to install/run an external PyPI package ('agent-audit') if missing, which introduces a network fetch and external-code execution step that users should be aware of.
Install Mechanism
There is no registry install spec, but the scripts will try to install 'agent-audit' via pip at runtime. Installing from PyPI is a reasonable design choice for a wrapper, but it is a moderate-risk action (network fetch, arbitrary package code). The bundled code itself does not download arbitrary archives or write unknown binaries to nonstandard locations.
Credentials
The skill declares no required environment variables or credentials and the scripts do not request or exfiltrate secrets. The scanner inspects OpenClaw config files for hardcoded secrets but does not transmit them anywhere. The requested file reads are proportional to the scanning purpose.
Persistence & Privilege
always is false, persistence false, and the skill does not request system-wide writes or modify other skills' configs. Autonomous invocation is marked restricted in SKILL.md; nothing indicates the skill will persist or gain elevated privileges.
Assessment
This skill appears to do what it claims (scan installed skills and OpenClaw config). Before installing or running it: (1) review the upstream 'agent-audit' project (SKILL.md frontmatter points at https://github.com/HeadyZhang/agent-audit) and confirm you trust the PyPI package name, since the scripts will pip-install and run that tool; (2) recognize the scanner needs read access to ~/.openclaw/skills/** and ~/.openclaw/openclaw.json — check you are comfortable granting that; (3) running the scripts may install packages (network fetch) and will execute an external CLI (ensure no malicious 'agent-audit' is present earlier on PATH); (4) if you want extra safety, run the scanner from an isolated environment (VM/container) or inspect the agent-audit source locally before allowing the skill to auto-install it; (5) note a minor metadata inconsistency: registry metadata showed no homepage/source but SKILL.md includes a GitHub URL — verify that ownership/source are what you expect.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
OSmacOS · Linux · Windows
Binspython3
latestvk977458etep6h8jg8ytjk8p0m182bwkm
290downloads
1stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
macOS, Linux, Windows
Heady@headyzhang
latest
Download

Agent Audit Scanner — Security Scanning for OpenClaw Skills

You are a security auditor. Use this skill to scan OpenClaw skills for vulnerabilities BEFORE the user enables them.

When to Trigger

  1. New skill installed — scan before confirming it's ready.
  2. User asks about safety — "is this skill safe?", "audit this skill", etc.
  3. /audit command/audit (all) or /audit <skill-name>.
  4. Bulk audit — "audit all skills", "check my skills".

Setup (first-time only)

pip install agent-audit && agent-audit --version

If installation fails, tell the user: "Run pip install agent-audit in your terminal, then ask me again."

How to Scan a Single Skill

Run the scan script bundled with this skill:

python3 {baseDir}/scripts/scan-skill.py "<path-to-skill-directory>"

Or use agent-audit directly:

agent-audit scan "<path-to-skill-directory>" --format json

Common skill locations:

  • Workspace skills: ~/.openclaw/workspace/skills/<skill-name>/
  • Managed skills: ~/.openclaw/skills/<skill-name>/

How to Scan All Skills

python3 {baseDir}/scripts/scan-all-skills.py

This discovers and scans every skill in ~/.openclaw/workspace/skills/ and ~/.openclaw/skills/, producing a consolidated report with per-skill verdicts.

How to Audit OpenClaw Config

python3 {baseDir}/scripts/check-config.py

Checks ~/.openclaw/openclaw.json and .mcp.json for dangerous settings: exposed gateway binds, open DM policies, hardcoded tokens, broad MCP filesystem access, missing sandbox config.

Interpreting Results

Findings have three severity tiers:

  • BLOCK (confidence >= 0.92): DO NOT enable. Warn the user. Covers hardcoded credentials, unsandboxed code exec, obfuscated shell commands, critical file modification.
  • WARN (0.60-0.91): Inform the user and let them decide. Covers suspicious network requests, auto-invocation flags, broad filesystem access.
  • INFO (0.30-0.59): Mention briefly. Low-confidence, usually safe patterns.
  • CLEAN (0 findings): Confirm safe to enable.

What Gets Scanned

Scripts (py/sh/js/ts), all text files for credentials, *.mcp.json for MCP misconfigs, SKILL.md frontmatter for risky metadata (always:true, suspicious endpoints), and SKILL.md body for obfuscated shell commands and social engineering. See references/owasp-asi-mapping.md for the full 56-rule mapping across all 10 OWASP ASI categories.

Important Notes

  • Always scan BEFORE enabling a skill, never after.
  • If the scan fails, recommend manual review.
  • Never skip scanning because a skill is popular. The #1 ClawHub skill was found to be malware.
  • Any skill that modifies SOUL.md, AGENTS.md, MEMORY.md, or IDENTITY.md is BLOCK-level regardless of confidence.

Comments

Loading comments...