ClawHub

Skill Auditor v2

v2.0.0

Security scanner for OpenClaw skills. Detects malicious code, obfuscated payloads, prompt injection, social engineering, typosquatting, and data exfiltration...

0· 590·0 current·0 all-time
by@aiwithabidi·fork of @sypsyp97/skill-auditor-pro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description indicate a security scanner; required binary is only python3; included files (audit_skill.py, quarantine.sh, IoC DB and pattern docs) match that purpose. Nothing in metadata asks for unrelated cloud credentials or system-wide privileges.
Instruction Scope
SKILL.md instructs the agent to run the included Python scanner or the quarantine shell script against a provided skill path or slug. The doc and reference files include prompt‑injection signatures (e.g., 'ignore previous instructions') which triggered a pre-scan warning — this appears to be part of the scanner's rule set (expected) rather than an attempt to override the evaluator. The scanner may fetch remote skills when run with --slug (network I/O) — this is expected for a tool that audits remote packages, but you should be aware it will contact ClawHub or whatever remote endpoint the script implements.
Install Mechanism
No installer or external download is declared. This is instruction + code bundled in the skill. No remote archive downloads or extract steps are performed by the registry metadata. Running the tools will execute local Python code only.
Credentials
The skill declares no required environment variables or credentials. The scanner contains detection rules to look for many API‑key patterns and config paths but does not itself require any external secrets to operate.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system changes in metadata, and the quarantine script only copies quarantined files into a production directory if the user explicitly consents. No elevated platform privileges are requested in metadata.
Scan Findings in Context
[pre-scan:ignore-previous-instructions] expected: The pre-scan detected prompt-injection wording (e.g., 'ignore previous instructions'). These strings appear in references/prompt-injection-patterns.md and are part of the auditor's detection rules — expected for a tool that looks for prompt injection.
Assessment
This skill appears to be what it says: a Python-based auditor plus a shell quarantine helper. Before running it, review the bundled audit_skill.py (it will scan files and may fetch remote slugs) and quarantine.sh yourself, and run them in an isolated environment (container or VM) on untrusted skills. Be aware the --slug mode will perform network fetches to retrieve remote skills — if you need to avoid network I/O, run the auditor only against local directories. Confirm the default production directory in quarantine.sh matches your environment before approving any automatic copy/installation, and inspect audit-report.json results before installing any audited skill. The pre-scan prompt-injection flag is explained by the auditor including a list of injection signatures; this is expected but always worth a quick manual check because such patterns could be abused if the skill were modified by a malicious actor.

Like a lobster shell, security has layers — review code before you run it.

auditvk978ensqp0yvea4mfpdxtrcah1816a55latestvk978ensqp0yvea4mfpdxtrcah1816a55securityvk978ensqp0yvea4mfpdxtrcah1816a55

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments