Skill Scan
v1.0.0Security scanner for OpenClaw skill packages. Scans skills for malicious code, evasion techniques, prompt injection, and misaligned behavior BEFORE installation. Use to audit any skill from ClawHub or local directories.
⭐ 3· 2.1k·7 current·7 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included functionality: a multi-layer scanner with optional LLM analysis and ClawHub integration. Requested environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, PROMPTINTEL_API_KEY, alert channel vars) are consistent with LLM scanning and alerting. One mismatch: the registry metadata says 'instruction-only / no install spec' but the package contains a full Python project (CLI, analyzers, tests, 100+ files). That isn't necessarily malicious, but it's an inconsistency you should be aware of (code will be present in the skill directory even though no platform-level installer is declared).
Instruction Scope
The SKILL.md contains explicit runtime instructions for the agent (scan-before-install workflow) and templates to insert into AGENTS.md. Option A uses strong language ('non-negotiable — never skip the scan') and recommends automatic pre-install scanning/blocking behavior. While this is plausible for a security tool, it also instructs the agent to alter its install workflow and to block installs automatically — a higher-scope action than simply providing a scanner. Additionally, automated alerting and LLM-provider auto-detection are described; the SKILL.md also includes content that triggered prompt-injection detections (see scan_findings_in_context).
Install Mechanism
No external install spec or remote download is declared (low install-mechanism risk). However, the repository includes a full Python CLI and many code files that would be written into the workspace when the skill is installed. There are no suspicious remote URLs or archive installs in the metadata, but because code is present, review the included source before running any CLI or LLM-enabled features.
Credentials
Environment variables mentioned are appropriate for the stated features: LLM provider keys for optional deep analysis (OPENAI_API_KEY, ANTHROPIC_API_KEY), a PROMPTINTEL key for an optional integration, and alert-channel variables for sending notifications. No unrelated or excessive credentials are demanded in SKILL.md or project metadata.
Persistence & Privilege
The skill suggests automatically modifying your AGENTS.md (agent instruction file) during installation to enforce pre-install scanning. That amounts to persistent changes to the agent's behavior/configuration and is outside a simple on-demand scanner's minimal scope. The skill does not set always:true, but it does recommend automatic, non-optional integration which increases its effective privilege. If you allow the skill to edit agent instructions, you should review/approve the exact changes.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Pre-scan detected 'ignore previous/prior instructions' style phrasing (a common prompt-injection pattern). A security scanner describing how to insert itself into agent workflows should not include hidden or coercive override instructions; this may be present in SKILL.md or in supplied AGENTS.md templates and should be inspected for malicious phrasing or hidden characters.
[unicode-control-chars] unexpected: Pre-scan detected unicode control / invisible characters in SKILL.md content. These can be used for stealthy prompt-injection or hiding directives. If you plan to install, inspect the SKILL.md and any AGENTS.md templates for hidden characters and render them in a safe editor that can show such characters.
What to consider before installing
This package appears to be a legitimate, featureful skill-scanner, but there are some red flags you should act on before installing or enabling automatic behavior:
1) Inspect the SKILL.md and AGENTS.md templates for hidden or coercive instructions (look for 'ignore previous instructions' language and any invisible/unicode-control characters). If present, remove or sanitize those lines.
2) Review the included source files (skill_scan/ and test-fixtures/) locally or in a sandbox before running the CLI, especially if you will grant it permission to edit AGENTS.md or run LLM-enabled analysis. The code bundle contains both safe test fixtures and explicit malicious examples used for evaluation — confirming behaviour matters.
3) Be cautious about granting LLM API keys (OPENAI_API_KEY/ANTHROPIC_API_KEY) to the environment unless you trust the skill; LLM layers run arbitrary prompt content against those providers.
4) Prefer manual (on-demand) scanning over automatic installation hooks. If you choose automatic integration, require an explicit review step and backup the current AGENTS.md before allowing modifications.
5) If you accept the skill, run it initially with static analysis only (no --llm) and examine JSON output (--json) to verify the scanner's behavior; only enable alerting channels after testing.
If you want, I can: (a) show the exact AGENTS.md templates included so you can inspect them, (b) list files in skill_scan/ that perform code execution or network calls, or (c) produce a sanitized AGENTS.md patch you can apply manually instead of allowing the skill to change it automatically.Like a lobster shell, security has layers — review code before you run it.
latestvk97cf6m508pyqs7qtc9b2kdfdd80c5g4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.