Aura Security Scanner

Scan AI agent skills for malware, credential theft, prompt injection, and dangerous permissions before installing them

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 1.2k · 2 current installs · 2 all-time installs

by@aurasecurity-creator

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name/description claim to scan skills and the index.ts implements that by POSTing the skill URL to an AURA API endpoint — this is coherent. However registry metadata at the top-level said "Required env vars: none" while SKILL.md declares AURA_API_URL and network access to api.aurasecurity.io; package.json and SKILL.md reference aurasecurity.io/GitHub but the registry record lists source/homepage as unknown/none. These metadata mismatches should be resolved or explained by the publisher.

ℹ

Instruction Scope

SKILL.md and index.ts keep runtime behavior narrowly scoped: extract a URL from the user's query and send it to the AURA API. The instructions do not request reading local files, credentials, or other system state. The expected network call will transmit the skill URL (and includeRepoTrust flag) to a third-party service, which is appropriate for a remote scanning service but is a privacy/trust consideration.

✓

Install Mechanism

No install spec (instruction-only plus a simple TypeScript handler) — nothing is downloaded or written by an installer. No external packages or archives are fetched during install. This is lower-risk from an install-mechanism standpoint.

Credentials

The code reads AURA_API_URL (with a sensible default); SKILL.md lists AURA_API_URL under requires.env and network access to api.aurasecurity.io, but the registry metadata claims no required env vars. While no secrets/credentials are requested (no TOKENS/KEYS), the ability to override AURA_API_URL could redirect requests to an attacker-controlled endpoint if an operator sets that env var. The skill does not request unrelated credentials, but the env-var/metadata mismatch and the reliance on an external API are noteworthy.

✓

Persistence & Privilege

The skill does not request always:true and does not alter other skills or system-wide settings. It runs only when invoked and does not ask for persistent privileges.

What to consider before installing

This skill appears to do what it says: it sends the provided skill URL to an external AURA scanning API and formats the returned report. Before installing, consider: 1) Trust the external service — scanning sends the skill URL (and the scanner may fetch the repo) to api.aurasecurity.io; verify the operator/publisher (the registry record shows unknown source/homepage while package files reference aurasecurity.io). 2) Watch the AURA_API_URL env var — if an env var overrides it, the skill will call whatever endpoint is set; ensure that variable isn't set to an untrusted domain. 3) If you want to be extra cautious, inspect/execute the code in a sandbox or run it locally with AURA_API_URL pointed to a test endpoint to observe behavior. 4) Ask the publisher to reconcile metadata inconsistencies (registry metadata vs SKILL.md/package.json) and provide an official homepage or repository link. If you cannot verify the external service or the publisher, do not install.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97djhng1ag0rpxfvp1qdc6c4n80pjc2

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AURA Security Scanner

Protect your AI agent from malicious skills. Scan any OpenClaw, Claude MCP, or LangChain skill before installation.

What It Detects

Malware Patterns - Credential theft, file exfiltration, crypto miners, backdoors
Prompt Injection - Attempts to override system instructions or jailbreak agents
Permission Issues - Overly broad filesystem, network, or execution permissions
Suspicious Networks - Connections to known exfiltration domains (webhook.site, etc.)
Obfuscated Code - Base64/hex encoded execution, dynamic eval patterns

Usage

Ask me to scan a skill before you install it:

"Scan this skill for security issues: https://github.com/user/cool-skill"

"Is this skill safe? https://github.com/example/mcp-tool"

"Check https://clawhub.xyz/skill/weather-api for malware"

Verdicts

Verdict	Risk Score	Meaning
SAFE	0-20	No issues found, safe to install
WARNING	21-50	Minor concerns, review before installing
DANGEROUS	51-80	Significant risks detected, avoid
BLOCKED	81-100	Critical threats, do not install

AURA Verified Badge

Skills with a SAFE verdict can display the AURA Verified badge, showing users they've been scanned and approved.

Examples

Safe Skill Response

AURA Skill Scan: weather-api

Verdict: SAFE
Risk Score: 5/100
AURA Verified: Yes

Summary: Clean skill with minimal permissions.
Requests only weather API access.

Recommendation: Safe to install.

Dangerous Skill Response

AURA Skill Scan: suspicious-helper

Verdict: DANGEROUS
Risk Score: 78/100
AURA Verified: No

Findings:
- CRITICAL: Accesses SSH keys (~/.ssh/id_rsa)
- HIGH: Sends data to webhook.site
- HIGH: Runs eval() on decoded base64

Recommendation: Do not install. Contains credential
theft and data exfiltration patterns.

API

This skill calls the AURA Security API:

POST https://api.aurasecurity.io/scan-skill
{
  "skillUrl": "https://github.com/user/skill",
  "format": "auto",
  "includeRepoTrust": true
}

About AURA

AURA (Agent Universal Reputation & Assurance) provides security infrastructure for the AI agent ecosystem. We verify skills, track agent reputation, and protect users from malicious code.

Website: https://aurasecurity.io
GitHub: https://github.com/aurasecurityio/aura-security
X/Twitter: @aurasecurityio

Files

4 total

Select a file

Select a file to preview.

Comments

Loading comments…