ClawHub

CrawSecure

v2.0.1

Offline security scanner that detects unsafe code patterns in ClawHub skills before installation to help users assess potential risks locally.

1· 1.8k·1 current·1 all-time
byDiogo Paes Dev@diogopaesdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim an offline security scanner, and the SKILL.md explicitly says this skill is documentation-only for an external CrawSecure CLI. No unrelated environment variables, binaries, or install steps are requested, which is proportionate for a documentation skill.
Instruction Scope
SKILL.md contains only documentation and guidance, explicitly states it performs no scanning or network access, and does not instruct the agent to read files, env vars, or execute commands. It does link to an external GitHub repo/website for the CLI — expected for a documentation skill.
Install Mechanism
There is no install spec and no bundled code. As an instruction-only skill this has the lowest install risk; any installation risk is deferred to the external CLI distribution referenced in the docs.
Credentials
The skill requests no environment variables, credentials, or config paths, which matches its documentation-only nature.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify agent/system settings. user-invocable and model invocation defaults are normal and acceptable for a docs skill.
Assessment
This skill is documentation-only and appears coherent, but the actual CrawSecure scanner it documents is an external binary you would download separately. Before installing or running that external CLI: 1) verify the GitHub repo and release artifacts (owner identity, tags) are legitimate; 2) check release checksums or signatures where available; 3) review the CLI source code if you can, or run it in a sandbox/non-privileged environment; 4) avoid running downloaded binaries as root; and 5) prefer official distribution channels (GitHub releases, official site) over third-party mirrors. Also be aware that the SKILL.md's statements about not accessing network or not executing code are descriptive — they cannot enforce behavior of any external CLI you choose to install.

Like a lobster shell, security has layers — review code before you run it.

auditvk976shphhrh19ynht9hrjtd531823bwpdeveloper-toolsvk976shphhrh19ynht9hrjtd531823bwplatestvk97dky7acktwmztwvp506vgnmd8258svopenclawvk976shphhrh19ynht9hrjtd531823bwpriskvk976shphhrh19ynht9hrjtd531823bwpsafetyvk976shphhrh19ynht9hrjtd531823bwpscannervk976shphhrh19ynht9hrjtd531823bwpsecurityvk976shphhrh19ynht9hrjtd531823bwpstatic-analysisvk976shphhrh19ynht9hrjtd531823bwptrustvk976shphhrh19ynht9hrjtd531823bwpverificationvk976shphhrh19ynht9hrjtd531823bwp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments