ClawHub

Devin Floyd

v1.0.0

Security scanner for OpenClaw/Clawdbot skills - detect malicious patterns before installation

0· 510·0 current·0 all-time
byDevin Floyd@devinfloyd1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description say it's a security scanner, which would reasonably require a scanner binary/script or an install step. The SKILL.md shows CLI usage (python scan.py ...) and describes an IOC database, but the package contains no scan.py, no executable, and no install mechanism — mismatch between claimed capability and what's actually provided.
!
Instruction Scope
Runtime instructions instruct the agent/user to run python scan.py against skills or paths and to produce JSON/markdown output, but there is no scan.py included and no guidance to obtain it. That gap could cause an agent or user to fetch and execute code from external sources without clear provenance.
Install Mechanism
There is no install spec (instruction-only). That lowers persistence risk, but for a scanner this is unusual — a legitimate scanner would typically include code or an install step. A GitHub repo link is present in the SKILL.md, but no automated install/clone instruction is provided.
Credentials
The skill requests no environment variables, credentials, or config paths. The declared requirements (Python 3.8+, stdlib only) are proportionate to a simple static scanner. The SKILL.md does not instruct reading unrelated secrets or system files.
Persistence & Privilege
No elevated persistence requested (always:false). The skill is user-invocable and allows normal autonomous invocation, which is expected. It does not request system-wide configuration changes.
What to consider before installing
This skill reads like documentation for a scanner but does not include the scanner code. Do not run commands like python scan.py unless you first verify the code's provenance. Before installing or running: 1) Inspect the referenced GitHub repository to confirm scan.py and the IOC database actually exist and review their source; 2) Require an explicit install or packaging method (or include scan.py in the skill bundle) so you don't have to fetch code manually; 3) If you must test untrusted scanner code, run it in a disposable sandbox/container and audit network calls and file access; 4) Ask the publisher for a reproducible install/test procedure and for provenance (commit history, trusted maintainer); 5) Prefer scanners distributed via well-known package sources or that include their code in the skill bundle. Providing the missing scan.py and an install spec (or a verified repo URL and commit hash) would materially increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk970fjvh5fe9a5xck5bwcdj98s81ctz4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
OSmacOS · Linux · Windows

Comments