Openclaw Sentinel

Supply chain security for agent skills. Pre-install inspection, post-install scanning, obfuscation detection, and known-bad signature matching. Verify skills are safe before they touch your workspace. Free alert layer — upgrade to openclaw-sentinel-pro for quarantine, blocking, and community threat feeds.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 1 · 1.2k · 2 current installs · 2 all-time installs

by@AtlasPA

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name and description match what is present: a Python-based scanner that inspects skill directories for obfuscation, suspicious patterns, and known-bad hashes. Required binary is only python3, which is appropriate for the functionality.

ℹ

Instruction Scope

Runtime instructions tell the agent to scan or inspect skill directories and to read/write local workspace state (e.g., create .sentinel, .quarantine). That behavior is within scope for a scanner, but the skill will traverse and read many files under your workspace and will persist scan results and a threat DB under workspace/.sentinel (and may write quarantine evidence to workspace/.quarantine). The SKILL.md documents these behaviors; however, confirm whether any quarantine or write actions are optional or require explicit consent before enabling.

✓

Install Mechanism

No install spec (instruction-only with included script). Nothing pulls remote code at runtime; the code claims to use only the Python standard library and does not declare external package installs. This is low installation risk, but you should obtain the skill from a trusted source (the registry metadata lists no homepage).

ℹ

Credentials

The skill does not request credentials and only needs python3. It uses OPENCLAW_WORKSPACE (and falls back to current directory / ~/.openclaw/workspace) to locate the workspace — that environment variable is referenced in SKILL.md but is not listed in the registry 'required env vars' field, which is a metadata mismatch. The scanner also looks for code that reads env vars inside scanned skills (e.g., patterns for SECRET/TOKEN usage) — that is expected for a scanner but means the tool will surface secrets usage patterns if present in scanned files (it does not itself require secrets).

✓

Persistence & Privilege

always:false and model invocation allowed (default). The tool writes its own data under the target workspace (.sentinel, .quarantine) which is expected for a scanner. There is code and constants related to quarantining, but SKILL.md/README state that automated blocking/quarantine features are part of a 'pro' offering — verify whether any destructive actions (renaming/moving skill dirs) are opt-in.

Scan Findings in Context

[eval-base64-decode] expected: The code contains detection rules for eval(base64.b64decode(...)). This is an expected scanner signature (it detects encoded execution patterns), not an execution of such payloads in the scanner itself.

[modify-other-skills] expected: There is a 'modify-other-skills' detection regex and quarantine-related directories. This is appropriate for a scanner that looks for cross-skill writes; however it also indicates the code has logic to manage quarantine evidence and may perform workspace writes—confirm whether destructive quarantine actions are manual or automatic.

[env-var-exfil] expected: The scanner looks for patterns that read sensitive env vars inside scanned skills. That detection rule is expected and appropriate; the scanner itself does not require secrets.

Assessment

This appears to be a legitimate local supply-chain scanner that only needs python3 and will read and write under your OpenClaw workspace. Before installing or running: (1) obtain the repository from a trusted source (registry shows no homepage), (2) review the full scripts/sentinel.py for any code paths that rename/move skill directories or make outbound network calls, (3) run it first in a copied/isolated workspace if you are worried about quarantine actions, (4) confirm whether importing community threat lists (--update-from) is local-only or can fetch remote feeds, and (5) note the metadata mismatch: OPENCLAW_WORKSPACE is used but not declared as a required env var in the registry. If you need higher assurance, request the maintainer's source URL and verify release signatures before trusting automated quarantining or updates.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2

Download zip

latestvk97ew0zsaay9k7asmd3m2nnarn811fv1

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏰 Clawdis

OSmacOS · Linux · Windows

Binspython3

SKILL.md

OpenClaw Sentinel

Supply chain security scanner for agent skills. Detects obfuscated code, known-bad signatures, suspicious install behaviors, dependency confusion, and metadata inconsistencies — before and after installation.

The Problem

You install skills from the community. Any skill can contain obfuscated payloads, post-install hooks that execute arbitrary code, or supply chain attacks that modify other skills in your workspace. Existing tools verify file integrity after the fact — nothing inspects skills for supply chain risks before they run.

Commands

Scan Installed Skills

Deep scan of all installed skills for supply chain risks. Checks file hashes against a local threat database, detects obfuscated code patterns, suspicious install behaviors, dependency confusion, and metadata inconsistencies. Generates a risk score (0-100) per skill.

python3 {baseDir}/scripts/sentinel.py scan --workspace /path/to/workspace

Scan a Single Skill

python3 {baseDir}/scripts/sentinel.py scan openclaw-warden --workspace /path/to/workspace

Pre-Install Inspection

Scan a skill directory BEFORE copying it to your workspace. Outputs a SAFE/REVIEW/REJECT recommendation and shows exactly what binaries, network calls, and file operations the skill will perform.

python3 {baseDir}/scripts/sentinel.py inspect /path/to/skill-directory

Manage Threat Database

View current threat database statistics.

python3 {baseDir}/scripts/sentinel.py threats --workspace /path/to/workspace

Import a community-shared threat list.

python3 {baseDir}/scripts/sentinel.py threats --update-from threats.json --workspace /path/to/workspace

Quick Status

Summary of installed skills, scan history, and risk score overview.

python3 {baseDir}/scripts/sentinel.py status --workspace /path/to/workspace

Workspace Auto-Detection

If --workspace is omitted, the script tries:

OPENCLAW_WORKSPACE environment variable
Current directory (if AGENTS.md exists)
~/.openclaw/workspace (default)

What It Detects

Category	Patterns
Encoded Execution	eval(base64.b64decode(...)), exec(compile(...)), eval/exec with encoded strings
Dynamic Imports	__import__('os').system(...), dynamic subprocess/ctypes imports
Shell Injection	subprocess.Popen with shell=True + string concatenation, os.system()
Remote Code Exec	urllib/requests combined with exec/eval — download-and-run patterns
Obfuscation	Lines >1000 chars, high-entropy strings, minified code blocks
Install Behaviors	Post-install hooks, auto-exec in __init__.py, cross-skill file writes
Hidden Files	Non-standard dotfiles and hidden directories
Dependency Confusion	Skills shadowing popular package names, typosquatting near-matches
Metadata Mismatch	Undeclared binaries, undeclared env vars, invocable flag inconsistencies
Serialization	pickle.loads, marshal.loads — arbitrary code execution via deserialization
Known-Bad Hashes	File SHA-256 matches against local threat database

Risk Scoring

Each skill receives a score from 0-100:

Score	Label	Meaning
0	CLEAN	No issues detected
1-19	LOW	Minor findings, likely benign
20-49	MODERATE	Review recommended
50-74	HIGH	Significant risk, review required
75-100	CRITICAL	Serious supply chain risk

Threat Database Format

Community-shared threat lists use this JSON format:

{
  "hashes": {
    "<sha256hex>": {"name": "...", "severity": "...", "description": "..."}
  },
  "patterns": [
    {"name": "...", "regex": "...", "severity": "..."}
  ]
}

Exit Codes

0 — Clean, no issues
1 — Review needed
2 — Threats detected

No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

Files

3 total

Select a file

Select a file to preview.

Comments

Loading comments…