ClawHub

skill-trust-auditor

v1.1.3

Audit a ClawHub skill for security risks BEFORE installation.

0· 562·1 current·1 all-time
byJonathan Jing@jonathanjing
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (audit ClawHub skills) match the actual artifacts: a Python analyzer, shell wrappers, and a patterns.json. Declared binaries (python3, optional clawhub) are appropriate. No unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions only run the included setup and audit scripts which fetch SKILL.md and referenced scripts from ClawHub/GitHub, then run regex checks. The instructions do not direct the agent to read unrelated local secrets or modify other skills. The only path that references home config is an optional alias pointing to the installed auditor script (not a request to read ~/.openclaw or secrets).
Install Mechanism
No platform install spec is provided; setup.sh installs Python packages (requests and optional anthropic) from PyPI via pip. This is expected for a Python tool but introduces normal supply-chain risk from PyPI packages; packages are well-known (requests, anthropic) and installation is local and explicit.
Credentials
The skill declares no required env vars. It does optionally use ANTHROPIC_API_KEY for the '--llm' mode (README and setup.sh mention this). That optional key is proportionate to an LLM-as-judge feature but is not required for core auditing; the SKILL metadata does not list it as required, which is consistent.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills or agent core files, and the provided setup only installs local Python packages. It does not create persistent hooks or modify shell profiles.
Assessment
This skill appears to do what it claims: fetch skill files and run pattern checks. Before installing: (1) review patterns.json if you want to understand what it flags and the allowlisted domains; (2) be aware that enabling '--llm' mode will send snippets to Anthropic if you set ANTHROPIC_API_KEY (only enable if you trust that service); (3) running setup.sh will pip-install packages (requests, anthropic) — inspect the setup script and installed packages if you must maintain a strict supply-chain policy; (4) the auditor fetches remote skill files over the network to analyze them — this network access is necessary but means the tool can only be as accurate as the sources it fetches. Overall, the package is coherent and reasonable for an auditor, but exercise standard caution when enabling LLM judgement or when allowing pip installs on sensitive hosts.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
Binspython3
Any binclawhub
latestvk9747vtz3a99pe100r9rqjm4a1829khn
562downloads
0stars
5versions
Updated 1mo ago
v1.1.3
MIT-0
Jonathan Jing@jonathanjing
latest
Download

Skill Trust Auditor

Audit any ClawHub skill for security risks before installation.

🛠️ Installation

1. Ask OpenClaw (Recommended)

Tell OpenClaw: "Install the skill-trust-auditor skill." The agent will handle the installation and configuration automatically.

2. Manual Installation (CLI)

If you prefer the terminal, run:

clawhub install skill-trust-auditor

Setup (first run only)

bash scripts/setup.sh

Audit a Skill

When user says "audit [skill-name]" or "is [skill-name] safe" or before any clawhub install:

bash scripts/audit.sh [skill-name-or-url]
# Example:
bash scripts/audit.sh steipete/clawhub
bash scripts/audit.sh https://clawhub.ai/someuser/someskill

Output:

{
  "skill": "someuser/someskill",
  "trust_score": 72,
  "verdict": "INSTALL WITH CAUTION",
  "risks": [
    {"level": "HIGH", "pattern": "curl to external domain", "location": "scripts/sync.sh:14"},
    {"level": "MEDIUM", "pattern": "reads MEMORY.md", "location": "SKILL.md:23"}
  ],
  "safe_patterns": ["no env var access", "no self-modification"],
  "author_verified": false,
  "recommendation": "Review scripts/sync.sh:14 before installing. The external curl call could exfiltrate data."
}

Post to user with clear summary:

🛡️ Trust Audit: someuser/someskill
Score: 72/100 — ⚠️ INSTALL WITH CAUTION

🔴 HIGH: curl to unknown domain in scripts/sync.sh:14
🟡 MEDIUM: reads your MEMORY.md

Recommendation: Inspect line 14 of sync.sh before proceeding.
Run: clawhub show someuser/someskill --file scripts/sync.sh

Trust Score Guide

ScoreVerdictAction
90-100✅ SAFEInstall freely
70-89⚠️ CAUTIONReview flagged items first
50-69🟠 RISKYOnly if you understand the risks
0-49🔴 DO NOT INSTALLHigh probability of malicious intent

Risk Pattern Reference

HIGH RISK (-30 each):

  • process.env access in scripts
  • curl/wget to non-standard domains
  • Reading ~/.config or ~/.openclaw directly
  • exec() with user-controlled input
  • Instructions to modify SOUL.md/AGENTS.md/openclaw.json

MEDIUM RISK (-10 each):

  • Any outbound API calls (even to known services)
  • File writes outside workspace
  • Reading MEMORY.md or diary files

LOW RISK (-3 each):

  • web_fetch to standard domains
  • Read-only file access in workspace

Auto-Audit Mode

Optionally prepend audit to every install:

# Add to your shell aliases:
alias clawhub-safe='bash ~/.openclaw/workspace/skills/skill-trust-auditor/scripts/audit.sh $1 && clawhub install $1'

ClawHavoc Pattern Reference

See references/clawhavoc-patterns.md for known malicious patterns from the February 2026 incident. Update this file when new incidents are reported.

Comments

Loading comments...