OpenClaw Skill Scanner

This package is a local skill-scanner and safe-install wrapper whose requested files and behavior match its stated purpose (scanning skills and optionally copying them into the user's skills directory).

This package is a local scanner + safe-install wrapper and appears coherent with that purpose. Before installing or using it: 1) Review whitelist.json (it contains local whitelist/blacklist decisions and will block blacklisted slugs). 2) Ensure you trust the openclaw CLI used to download skills (install-hook.sh delegates downloading to that tool). 3) Understand the scanner is regex-based and can produce false positives (it will flag common patterns like subprocess/os.system, long base64 strings, and network calls). 4) Because install-hook.sh copies files into ~/.openclaw/workspace/skills, run it in a sandbox or inspect scan reports before allowing suspicious installs. 5) If you need higher assurance, audit the remainder of scanner.py for any outbound network calls (none were found in the provided fragments) and run scans on known-good samples to calibrate false positive rates.