SkillGuard by Farnwick
ReviewAudited by ClawScan on May 10, 2026.
Overview
This security scanner mostly matches its purpose, but it uses your OpenClaw LLM credentials and may send scanned skill files to external providers or a fallback agent in ways that need review.
Review before installing. If you use it, prefer a dedicated LLM API key, confirm which provider will receive scan data, avoid scanning folders that may contain secrets, and treat a CLEAN result as advisory rather than a guarantee.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use configured LLM provider accounts and API tokens from the local OpenClaw profile.
The skill directly reads the local OpenClaw auth-profile store and extracts provider keys/tokens. This is expected for LLM-backed scanning, but it gives the skill access to existing account credentials.
AUTH_PROFILES = os.path.expanduser("~/.openclaw/agents/main/agent/auth-profiles.json") ... return {"provider": "anthropic", "key": prof["key"]}Use a dedicated low-privilege API key/profile if possible, and verify which provider credentials SkillGuard is allowed to use.
Private skill code, and any secrets accidentally stored in skill folders, could be sent to a provider different from what the documentation leads users to expect.
The actual direct-call order prefers DeepSeek, then OpenRouter, then Anthropic. This differs from the README's Anthropic-first priority, so scanned skill contents may be sent to an unexpected external provider.
provider_order = ["deepseek", "openrouter", "anthropic"]
Make provider selection explicit, align the README with the code, and ask before sending scan contents to non-default providers.
A malicious skill being scanned could try to influence the fallback agent's verdict or behavior, weakening the protection before installation.
The fallback combines scanner instructions and untrusted skill-file contents into one message to another agent, rather than using a protected system channel. The artifacts do not show tool disabling or prompt-injection isolation.
combined = f"{system}\n\n---\n\n{prompt}" ... ["openclaw", "agent", "--local", "--session-id", session_id, "--message", full_prompt, "--json"]Use a direct model API with a separate system prompt, clearly quote scanned files as untrusted data, disable tools for fallback agent calls, and avoid automatic installation based only on a CLEAN result.
Users have less external information to verify the publisher, source history, or trustworthiness of the scanner.
The skill has limited provenance information. That is not malicious by itself, but it matters for a tool that reads credentials and makes security decisions.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the code before use and install only from a source/version you trust.