ClawHub

Claw Security Scanner

v0.1.1

自动扫描OpenClaw技能文件,检测恶意代码、凭据泄露、依赖漏洞及权限风险,提供安全评估与修复建议。

0· 1k·2 current·2 all-time
bySkilledClaw@betsymalthus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and docs describe a skill-scanner and the repository contains detectors and tests that implement credential, malware, and dependency checks — this is coherent. However SKILL.md and docs advertise dynamic sandbox execution, auto-fix, CI/Docker deployment, and remote URL scanning while the packaged metadata lists no install/runtime privileges or explicit sandbox tools; the advertised dynamic execution and auto-fix features are not clearly implemented or constrained in the provided files (implementation gap).
!
Instruction Scope
Runtime instructions explicitly instruct scanning local skills, scanning remote URLs, and running deep/dynamic analysis. The docs promote options like --deep, --auto-fix, scanning --url, and scanning all installed skills (scanOnInstall). Those behaviors legitimately require reading many local files and potentially downloading and executing untrusted code — which is expected for a scanner but also high-risk. The SKILL.md encourages automatic scans on install and automated fixes, which could modify user files. The instructions do not clearly require or document strict sandboxing, network isolation, or safe defaults (e.g., auto-fix disabled), giving the agent broad discretion to read and (potentially) change many files and to fetch remote code.
Install Mechanism
There is no formal install spec in the registry (the skill is 'instruction-only' per metadata), but the bundle includes code, package.json, and extensive INSTALLATION.md advising pip installs from GitHub and a Docker image (clawsecurity/scanner:latest). Those install suggestions reference common hosts (GitHub, Docker Hub) but the Docker image and the repository are third‑party/unverified. No packaged install script is enforced by the registry metadata, so installing via the documented methods would fetch code from external sources (risk depends on the source).
Credentials
The skill declares no required environment variables or external credentials in metadata. The scanner searches for credentials inside scanned code (AWS keys, JWTs, etc.) but does not request those credentials itself — this is proportionate for a scanner. No unrelated secrets or system credentials are requested by the skill metadata.
Persistence & Privilege
always:false (no forced inclusion). However the recommended configuration examples enable autoScan and scanOnInstall, which would cause the scanner to run automatically when skills are installed/updated. That behavior is user-configurable, not an inherent platform privilege, but if enabled it broadens the scanner's reach (reads many skills). There is also an 'auto-fix' feature referenced which could modify files — the registry metadata does not show explicit privileges for that, and the code/docs don't transparently explain safe defaults for these behaviors.
What to consider before installing
This skill appears to be a legitimate security scanner, but exercise caution before enabling any automatic or dynamic features. Before installing or enabling: 1) Review the scanner's code paths that perform dynamic analysis or execute subprocesses (search for code that downloads, extracts, or runs scanned code). 2) Keep autoScan/scanOnInstall and auto-fix disabled by default until you confirm safe behavior; prefer manual scans. 3) Run the scanner in an isolated environment (container or VM) with network disabled when performing deep/dynamic scans of untrusted skills. 4) If you use the documented pip/GitHub/Docker install paths, verify the upstream repository and Docker image are trustworthy; prefer installing only from verified sources. 5) If you lack capacity to audit the dynamic analysis code, do not grant it wide access to your ~/.openclaw/skills tree or enable automatic fixes — treat it as a powerful tool that can read many files and modify them. Enabling networked reporting/notifications or the Docker image without vetting could allow exfiltration of findings; review where reports would be sent and disable automatic uploads if unsure.

Like a lobster shell, security has layers — review code before you run it.

latestvk9768mvgfe9pjqn9zqp3efgn6h80z4zx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments