ClawHub

Seguranca Auditoria

v1.0.0

Auditoria de segurança para skills do OpenClaw. Verifica código malicioso, prompt injection, APIs perigosas e práticas inseguras. Protege contra ClawHavoc e...

0· 110·0 current·0 all-time
by@engsathiago
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (security audit for OpenClaw skills) matches the instructions (what to look for: exec/eval, suspicious domains, credential leakage, etc.). The skill does not request unrelated credentials or binaries. Minor metadata inconsistency: registry metadata at the top shows no homepage/source, while clawhub.json includes a GitHub homepage — worth verifying the authoritative source before installing.
Instruction Scope
SKILL.md consists of audit guidance (patterns to flag, report format, sample CLI usage). The instructions focus on examining target skill code/config for risky constructs and do not direct the agent to exfiltrate user data or access unrelated system secrets. Note: SKILL.md shows CLI usage (seguranca-auditoria auditar ...) despite there being no packaged binary or install spec in this bundle; that is typical for an instruction-only skill but means the instructions describe behavior rather than an included executable.
Install Mechanism
There is no install spec and no code files — lowest-risk form. The README suggests using 'clawhub install' to install the skill from the registry; that is consistent with instruction-only skills being provided by the platform rather than by this package.
Credentials
The skill does not request environment variables, credentials, or config paths. The audit guidance specifically flags access to sensitive paths (e.g., ~/.ssh, .env) in target skills rather than requesting them for itself.
Persistence & Privilege
always is false and the skill is user-invocable. Model invocation is allowed (platform default); nothing in the package demands permanent or elevated presence.
Assessment
This skill appears coherent and low-risk as an instruction-only audit checklist. Before installing, verify the authoritative source (clawhub registry entry or the GitHub repo referenced in clawhub.json) and the publisher identity. Understand that the skill's instructions describe audits an agent would perform on other skill code — an agent will need permission to read the target skill files to run these checks, so only run it against code you permit the agent to inspect. If you expect a packaged executable, confirm the registry provides one (this bundle contains only documentation).

Like a lobster shell, security has layers — review code before you run it.

latestvk97fgx3b4tfd1w361ej8ay7zks83axts

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments