---
name: frisk
description: "Pre-install security audit and vulnerability scanner for ClawHub skills — scan by slug or local path, 9 threat intel sources, 7 checks including malware scanning, dependency vulnerabilities, and credential leak detection."
version: 3.0.3
metadata:
  openclaw:
    emoji: "⚡"
    homepage: https://github.com/jchandler187/frisk
    requires:
      bins:
        - python3
        - clawhub
      anyBins:
        - gitleaks
        - semgrep
        - yara
    install:
      - kind: node
        package: "@lowwattlabs/frisk"
        bins:
          - frisk
    envVars:
      - name: FRISK_HOME
        required: false
        description: "Base directory for intel cache and reports (default: ~/.frisk)"
      - name: FRISK_INTEL_DIR
        required: false
        description: "Override intel cache directory (default: FRISK_HOME/intel)"
      - name: FRISK_REPORTS_DIR
        required: false
        description: "Override reports output directory (default: FRISK_HOME/reports)"
---

# ⚡ Frisk

Frisk is a local-first security scanner for ClawHub skills. It runs 7 autonomous checks against 9 live threat intelligence feeds and returns a structured verdict — pass, warn, or fail — before you install.

Unlike instruction-card security skills that tell agents what to look for, Frisk actually runs the checks: dependency lookups against CISA KEV and OSV, credential scanning with Gitleaks, malware pattern matching with YARA, IOC matching against ThreatFox/URLhaus/MalwareBazaar/Feodo, behavioral analysis for eval and injection patterns, and prompt injection detection in SKILL.md files.

All scanning is offline. No telemetry. No phone-home. No data leaves your machine.

## When to use

- Before installing a skill from ClawHub — verify it is safe
- Before publishing your own skills — catch issues early
- When reviewing skills for your team or organization
- As part of CI/CD or pipeline validation
- When you want to verify a skill is safe before trusting it with your environment
- Any time an agent encounters an untrusted skill and needs a security check

## Quick start

```bash
frisk scan weather-forecast        # Scan by ClawHub slug
frisk scan ./my-skill              # Scan a local skill directory
frisk scan ./my-skill --checks dep-scan,secret-scan
frisk scan ./my-skill --json       # JSON output for pipelines
```

First run sets up a Python venv and syncs threat intel automatically. After that, scanning works with zero configuration.

## How it works

Frisk downloads the skill to a sandboxed 0700 temp directory, strips execute bits from all files, suppresses npm install scripts, runs all enabled checks against the local intel cache, produces a structured JSON report with findings, and cleans up the downloaded skill.

Exit codes: 0 = pass, 1 = warn, 2 = fail

## Checks

| Check | What it does |
|-------|-------------|
| dep-scan | Cross-references dependencies against CISA KEV and OSV databases |
| static-analysis | Runs Semgrep rules for security anti-patterns (offline, no phone-home) |
| secret-scan | Scans for hardcoded API keys, tokens, and credentials using Gitleaks |
| yara-scan | Matches files against YARA rules for malware patterns |
| ioc-match | Matches IPs, domains, URLs, and file hashes against ThreatFox, URLhaus, MalwareBazaar, and Feodo Tracker |
| behavioral | Detects eval usage, shell injection, data exfiltration vectors, DNS tunneling |
| prompt-inject | Detects prompt injection and instruction-hiding patterns in SKILL.md |

## Threat intel sources (9)

CISA KEV, OSV (npm + PyPI), EPSS, MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker, YARA Rules, Semgrep Rules

Run `frisk sync` to refresh the intel cache. First scan auto-syncs if no cache exists.

## Parameters

When an agent invokes this skill through OpenClaw:

- **target** (required) — Local directory path or ClawHub skill slug. If a slug is given, the skill is downloaded to a sandboxed temp directory, scanned, and removed.
- **checks** (optional) — Comma-separated list: `dep-scan`, `static-analysis`, `secret-scan`, `yara-scan`, `ioc-match`, `behavioral`, `prompt-inject`. Default: all 7.
- **json** (optional) — Output results as JSON for programmatic use.

## Security and Privacy

- No telemetry, no phone-home, no analytics. All scanning is local.
- During scan, zero network requests. All intel is read from the local cache.
- During sync, only public threat intel feeds are contacted. No skill code or scan targets are ever transmitted externally.
- Slug scans are sandboxed: 0700 temp dir, execute bits stripped, npm scripts suppressed, cleaned up after scanning.

### Local files

- Read: `~/.frisk/intel/` (threat intel cache), skill directory passed as target
- Written: `~/.frisk/intel/`, `~/.frisk/reports/`, `~/.frisk/venv/`, `~/.frisk/frisk.log`
- First sync downloads approximately 50-100 MB of threat intel data

## Install

```bash
npm install -g @lowwattlabs/frisk
```

Or let OpenClaw install it via the skill install spec above.

## License

MIT-0