ClawSkillShield
v1.0.0Locally scans OpenClaw/ClawHub skills for security risks like hardcoded secrets, dangerous calls, and risky imports, then scores and quarantines threats.
⭐ 1· 1.5k·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/SKILL.md/README describe a local static scanner and included Python modules implement that scanner. The requested resources (no env vars, no external binaries) are proportional. Minor oddity: the analyzer flags 'risky imports' such as os/open but the scanner itself uses os and open to perform filesystem operations; this is explainable (the scanner needs filesystem access) but should be documented to avoid confusion.
Instruction Scope
SKILL.md and README present a Python API example that does not match the implementation. Examples show: 'threats = scan_local(...)' and then 'if risk_score < 4: quarantine(...)'. In the actual code, scan_local(path) returns a formatted string report, not a threats list or a numeric risk score. There is no exported function that directly returns a numeric risk score to callers. Also the CLI/API allows an agent to call quarantine(path), which moves the target path into ~/.openclaw/quarantine — functional for quarantine but potentially destructive if invoked on the wrong path. The instructions give agents the discretion to auto-quarantine; that combination of autonomous invocation + move behavior requires caution.
Install Mechanism
No install spec was provided by the registry (instruction-only) but the package contains a pyproject and console entrypoint so it can be installed with pip locally. There are no external downloads, no network calls in code, and no extract-from-URL behavior — low install risk.
Credentials
No environment variables, credentials, or config paths are requested. The only filesystem write is the quarantine directory under the user's home (~/.openclaw/quarantine) which is consistent with a quarantine feature.
Persistence & Privilege
always is false (no forced inclusion). The skill can be invoked autonomously (default). Because it implements quarantine by moving directories, an autonomous agent using the provided example could move user files. This is not necessarily malicious, but it is a privileged destructive action that should be gated behind safe checks and correct API behavior (see mismatch noted above).
What to consider before installing
This package appears to implement a local static scanner and quarantine facility and does not make network calls or request secrets — that part is coherent. However, the documentation examples and the actual Python API do not match: scan_local() returns a formatted string report, not a list of threats or a numeric risk_score as shown in the README/SKILL.md. That means agent code copied from the docs could behave incorrectly (or fail) and might mis-handle quarantine decisions. Before installing or giving an agent the ability to call this skill autonomously: 1) Review and fix the API/documentation mismatch (either return structured data and a numeric score from scan_local or update docs/examples). 2) Add a function that returns structured results (threat list + numeric score) so agents can make safe decisions programmatically. 3) Add safety checks around quarantine (confirm path is a skill folder, prevent system-path moves, require explicit confirmation or a dry-run mode). 4) Test the quarantine behavior in a sandbox so you’re comfortable that moving directories to ~/.openclaw/quarantine won’t delete or hide important data. If you plan to enable autonomous agent invocation, only do so after these safeguards are implemented and reviewed.Like a lobster shell, security has layers — review code before you run it.
agent-safetyvk979680vw3fb9epfh8m81rhnsx80p92slatestvk979680vw3fb9epfh8m81rhnsx80p92squarantinevk979680vw3fb9epfh8m81rhnsx80p92sscannervk979680vw3fb9epfh8m81rhnsx80p92ssecurityvk979680vw3fb9epfh8m81rhnsx80p92s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.