ClawHub

Bomb Dog Sniff

v0.1.0

Security-first skill management for OpenClaw - like a bomb-sniffing dog for skills. Sniffs out malicious payloads (crypto stealers, keyloggers, reverse shells) before installation. Quarantine → Scan → Install only the safe ones.

2· 1.2k·1 current·1 all-time
by@lvcidpsyche
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (scanner + safe-install) match the code: scan.js/patterns.js implement static detection patterns and safe-download.js implements download → quarantine → scan → install flows. Child processes (unzip, npx clawhub) and copying into OPENCLAW_SKILLS_DIR are consistent with a safe-install feature.
!
Instruction Scope
SKILL.md and the code instruct the agent to download repositories, extract archives, run npx clawhub, and copy/overwrite installed skills. The runtime will read the user's HOME and OPENCLAW_SKILLS_DIR paths and may access installed skill directories for auditing. SKILL.md also contains a pre-scan injection signal (unicode-control-chars) which can be used to manipulate LLM-based evaluation or rendering — this reduces trust in the documentation and requires manual inspection of the SKILL.md and code before use.
Install Mechanism
No registry install spec is declared (instruction-only), but code will download ZIP archives from GitHub (HTTPS only) and invoke system 'unzip' and 'npx'. Those are expected for this functionality but increase risk compared to a pure static analyzer because external repos are fetched and native subprocesses are executed. The downloader enforces size/time limits and HTTPS but follows redirects and will spawn external tools (unzip, npx), so validate the runtime environment and tool versions.
Credentials
The skill declares no required environment variables and does not demand unrelated secrets. It references standard env vars (HOME, OPENCLAW_SKILLS_DIR) to determine quarantine/install locations — expected for a downloader/installer. The scanner itself looks for code that reads process.env in target skills (which is expected behavior for a security scanner).
Persistence & Privilege
always:false (no forced installation). The skill can install skills into the user's skills directory and backup/overwrite existing skills — this is consistent with its 'safe-install' purpose. It does not request elevated platform privileges or attempt to modify other skills' configuration beyond installing/updating them as expected.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains unicode control characters detected by the pre-scan (prompt-injection) scanner. This can be used to alter rendered text or attempts to manipulate an LLM evaluation; it's not expected for a simple README and should be inspected manually.
What to consider before installing
This skill appears to be what it claims (a scanner + safe installer) but take the following precautions before installing or running it with access to your real skills directory: - Inspect the SKILL.md and code yourself (scan.js, safe-download.js, scripts/sniff.sh). The SKILL.md contained unicode control characters — open it in a raw text editor to verify nothing hides in rendering. - Run the scanner in a sandbox or container first (e.g., throwaway VM or ephemeral container) and point it at known-good targets to validate behavior. - Review safe-download.js: it invokes 'unzip' and 'npx clawhub' and will copy files into your OPENCLAW_SKILLS_DIR. Ensure these subprocess calls and their arguments are acceptable in your environment and not run as root. - Verify quarantine behavior: confirm the quarantine path, permissions, and automatic cleanup meet your policy. Consider changing quarantine to a directory you control. - Check that network downloads are limited to HTTPS and consider mirroring sources you trust rather than relying on arbitrary GitHub repos or clawhub via npx. - Prefer running the scanner (scan.js) only before automatic installs; use --dry-run and review JSON reports before allowing any auto-install. - If you are not comfortable auditing the code, prefer community-vetted scanners or obtain this package from an authoritative repository with a commit history and maintainer traceability. Given the prompt-injection indicator and the use of subprocesses that act on downloaded code, manual review or sandboxed execution is recommended before granting it access to your real skill installation directory.

Like a lobster shell, security has layers — review code before you run it.

latestvk971hartapjqp1tqfzb9d91ht980s1ge

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments