{"skill":{"slug":"yoder-skill-auditor","displayName":"Yoder Skill Auditor","summary":"The definitive security scanner for OpenClaw skills. 18 security checks including prompt injection detection, download-and-execute, privilege escalation, cre...","description":"---\nname: skill-auditor\nversion: 3.1.0\ndescription: \"The definitive security scanner for OpenClaw skills. 18 security checks including prompt injection detection, download-and-execute, privilege escalation, credential harvesting, supply chain attacks, crypto drains, and more. 5-dimension trust scoring with trend tracking.\"\nmetadata:\n  openclaw:\n    requires:\n      bins: [\"python3\", \"bash\"]\n      env: []\n      config: []\n    user-invocable: true\n---\n\n# Skill Auditor v3.1.0\n\nThe definitive security scanner for OpenClaw/ClawHub skills. Best-in-class detection across 18 security checks including **prompt injection detection** — the first scanner to catch agent manipulation attacks in skill documentation. 5-dimension trust scoring, trend tracking, diff analysis, and benchmarking. Zero false positives on legitimate skills.\n\n## When to Activate\n\n1. **Installing a new skill** from ClawHub - run `inspect.sh` for full pre-install validation\n2. **Auditing existing skills** - use `audit.sh` to scan any skill directory\n3. **Generating trust scores** - use `trust_score.py` for 0-100 rating across 5 dimensions\n4. **Comparing skills** - use `trust_score.py --compare` for side-by-side analysis\n5. **Tracking improvements** - use `trust_score.py --save-trend` to monitor score over time\n6. **Reviewing updates** - use `diff-audit.sh` to compare before/after versions\n7. **Batch scanning** - use `audit-all.sh` or `benchmark.sh` for fleet-wide analysis\n\n## Quick Start\n\n```bash\n# Audit a single skill\nbash audit.sh /path/to/skill\n\n# Trust score (0-100 across 5 dimensions)\npython3 trust_score.py /path/to/skill\n\n# Compare two skills side by side\npython3 trust_score.py /path/to/skill1 --compare /path/to/skill2\n\n# Track score over time\npython3 trust_score.py /path/to/skill --save-trend\npython3 trust_score.py /path/to/skill --trend\n\n# Diff audit (before/after update)\nbash diff-audit.sh /path/to/old-version /path/to/new-version\n\n# Benchmark against a corpus\nbash benchmark.sh /path/to/skills-dir\n\n# Inspect a ClawHub skill before installing\nbash inspect.sh skill-slug\n\n# Audit all installed skills\nbash audit-all.sh\n\n# Generate a markdown report\nbash report.sh\n\n# Run test suite (28 assertions)\nbash test.sh\n```\n\n## Guardrails / Anti-Patterns\n\n**DO:**\n- ✓ Always audit skills before installing from untrusted sources\n- ✓ Review trust scores - reject skills scoring below 60 (D grade)\n- ✓ Use `diff-audit.sh` when updating skills to catch regressions\n- ✓ Use `--json` output for CI/CD pipeline integration\n- ✓ Run `--save-trend` periodically to track skill health\n\n**DON'T:**\n- ✗ Install skills scoring below 40 (F grade) without extensive manual review\n- ✗ Ignore CRITICAL findings - they indicate potential security threats\n- ✗ Blindly add skills to allowlist without understanding why they access credentials\n- ✗ Skip audit because a skill is \"popular\" or \"official\"\n\n## Security Checks (18 total)\n\n| # | Check | Severity | Description |\n|---|-------|----------|-------------|\n| 1 | credential-harvest | CRITICAL | Scripts reading API keys/tokens AND making network calls |\n| 2 | exfiltration-url | CRITICAL | webhook.site, requestbin, ngrok URLs in scripts |\n| 3 | obfuscated-payload | CRITICAL | Base64-encoded URLs or shell commands |\n| 4 | sensitive-fs | CRITICAL | /etc/passwd, ~/.ssh, ~/.aws/credentials access |\n| 5 | crypto-wallet | CRITICAL | Hardcoded ETH/BTC wallet addresses (drain attacks) |\n| 6 | dependency-confusion | CRITICAL | Internal/private-scoped packages in public deps |\n| 7 | typosquatting | CRITICAL | Misspelled package names (lodahs, requets, etc.) |\n| 8 | symlink-attack | CRITICAL | Symlinks targeting sensitive system paths |\n| 9 | code-execution | WARNING | eval(), exec(), subprocess patterns |\n| 10 | time-bomb | WARNING | Date/time comparisons that could trigger delayed payloads |\n| 11 | telemetry-detected | WARNING | Analytics SDKs, tracking pixels, phone-home behavior |\n| 12 | excessive-permissions | WARNING | >15 bins/env/config items requested |\n| 13 | unusual-ports | WARNING | Network calls to non-standard ports |\n| 14 | prompt-injection | CRITICAL | Agent manipulation in docs: \"ignore instructions\", role hijacking, hidden HTML directives |\n| 15 | download-execute | CRITICAL | curl\\|bash, wget\\|sh, eval $(curl), unsafe pip/npm installs |\n| 16 | hidden-file | WARNING | Suspicious dotfiles that may hide malicious content |\n| 17 | env-exfiltration | CRITICAL | Reading sensitive env vars + outbound network calls |\n| 18 | privilege-escalation | CRITICAL | sudo, chmod 777/setuid, writes to system paths |\n\nContext-aware: credential mentions in documentation are INFO, not CRITICAL.\n\n## Trust Score (5 Dimensions)\n\n| Dimension | Max | What's Measured |\n|-----------|-----|-----------------|\n| Security | 35 | Audit findings (criticals = -18, warnings = -4) |\n| Quality | 22 | Description, version, usage docs, examples, metadata, changelog |\n| Structure | 18 | File organization, tests, README, reasonable scope |\n| Transparency | 15 | License, no minified code, code comments |\n| Behavioral | 10 | Rate limiting, error handling, input validation |\n\nGrades: A (90+), B (75+), C (60+), D (40+), F (<40)\n\n### Comparative Scoring\n```bash\npython3 trust_score.py /path/to/skill-a --compare /path/to/skill-b\n```\nShows per-dimension deltas and overall score difference.\n\n### Trend Tracking\n```bash\npython3 trust_score.py /path/to/skill --save-trend   # Record score\npython3 trust_score.py /path/to/skill --trend         # View history\n```\nStores up to 50 entries per skill in `trust_trends.json`.\n\n## Tools\n\n| File | Purpose |\n|------|---------|\n| audit.sh | Single skill security audit (18 checks) |\n| audit-all.sh | Batch scan all installed skills |\n| trust_score.py | Trust score calculator (5-dimension, 0-100) |\n| diff-audit.sh | Compare skill versions for security regressions |\n| benchmark.sh | Corpus-wide audit with aggregate statistics |\n| inspect.sh | ClawHub pre-install workflow |\n| report.sh | Markdown report generator |\n| test.sh | Automated test suite (28 assertions, 12 test skills) |\n| allowlist.json | Known-good credential skills |\n\n## Test Suite\n\n12 test skills (8 malicious, 4 clean) with 28 automated assertions:\n\n```bash\nbash test.sh\n```\n\nMalicious fixtures: credential harvest, obfuscated payload, sensitive fs reads, crypto wallets, time bombs, symlink attacks, prompt injection, download-execute, privilege escalation.\nClean fixtures: basic skill, credential docs (false positive check), network skill, dotfiles skill.\n\n## Exit Codes\n- 0: PASS / safe to install\n- 1: REVIEW / warnings found\n- 2: FAIL / critical issues\n- 3: Error / bad input\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for full version history.\n","tags":{"latest":"3.1.0"},"stats":{"comments":0,"downloads":6389,"installsAllTime":10,"installsCurrent":10,"stars":3,"versions":2},"createdAt":1771241415710,"updatedAt":1778491556797},"latestVersion":{"version":"3.1.0","createdAt":1771258895953,"changelog":"Security advisory remediation: removed self-allowlist, excluded test fixtures, removed auto-install, documented pattern filters, added warnings","license":null},"metadata":{"setup":[],"os":null,"systems":null},"owner":{"handle":"yoder-bawt","userId":"s170re0cxhj45s27ah5h37tc59885epn","displayName":"yoder-bawt","image":"https://avatars.githubusercontent.com/u/259239279?v=4"},"moderation":null}