Clawhub Skill Scanner
v0.1.0Security gatekeeper for skill installations. MANDATORY before installing any skill from ClawHub, GitHub, or external sources. Performs deep code analysis to detect malicious patterns, credential access, data exfiltration, command injection, and other security risks. Triggers: "install skill", "clawhub install", "new skill", "add skill", "skill from". Always run this BEFORE installation.
⭐ 1· 1.6k·6 current·6 all-time
by@amir-ag
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description claim a pre-install security scanner and the package includes a Python scanner (scripts/scan_skill.py) plus documentation implementing that purpose. It does not request unrelated credentials, binaries, or configuration paths.
Instruction Scope
SKILL.md instructs the agent/user to run the included Python scanner against a skill folder and shows a wrapper that fetches a skill and scans it before install — this matches the stated purpose. Minor concerns: the doc repeatedly calls the scan 'MANDATORY' and lists triggers (e.g., 'install skill') but the skill metadata doesn't enforce mandatory execution; the wrapper script assumes clawhub inspect is available at runtime and the path to the scanner is correct. Also review the scanner's whitelist and pattern choices (e.g., some generic whitelist entries like '# ' and 'https://api.' may suppress matches in comments or API URLs).
Install Mechanism
No install spec/external downloads; code lives in the skill bundle. This minimizes supply-chain risk since nothing is fetched or executed by an automated install step in the skill itself.
Credentials
The skill requires no environment variables, credentials, or privileged config paths. The scanner looks for references to credentials in scanned code (e.g., ~/.ssh, ~/.aws, .env) which is appropriate for its purpose.
Persistence & Privilege
Skill is not marked always:true and does not request persistent privileges. The SKILL.md suggests a wrapper to run the scanner before installs, but the skill itself does not modify other skill configs or system-wide settings.
Scan Findings in Context
[pattern-definitions-included] expected: The scanner includes many regex patterns that match suspicious behavior (curl|bash, webhooks, .env files, reverse-shell patterns). This is expected for a static pattern-based scanner.
[examples-containing-dangerous-strings] expected: README/SKILL.md contain example dangerous snippets (curl | bash, webhook URLs) used to demonstrate findings. Those example strings could trigger other naive scanners but are expected here as documentation/examples.
Assessment
This skill appears to do what it says: a local pattern-based scanner you can run before installing skills. Before trusting it as your only defense: 1) Verify the scanner's source (owner and repo) and ensure you obtained the package from a trusted location — the provided metadata has no homepage and an unfamiliar owner ID. 2) Inspect scripts/scan_skill.py yourself (or in a sandbox/CI) to confirm the rule set matches your threat model and to tune whitelist/blacklist rules to avoid false positives/negatives. 3) Don't rely solely on this tool: pattern-based scanners can miss obfuscated or logic-based exfiltration and can also produce false positives; combine with manual review or runtime sandboxing for high-risk skills. 4) If you plan to integrate the wrapper into an automated install pipeline, ensure the wrapper's paths are correct and run the scanner from a controlled environment (CI or isolated host) so it cannot be tricked into scanning arbitrary system paths. If you want higher assurance, request a published repository URL or signed release for provenance — absence of a homepage/repo reduces confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk979r2ht93jb6rwt1rfbwxadys80n84m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.