ClawHub

CLAW-1 Skill Auditor

v1.0.0

Analyze SKILL.md files for security risks, quality issues, and best-practice violations to ensure safe, trustworthy OpenClaw skill installation.

0· 488·3 current·3 all-time
by@gpunter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (SKILL.md auditor) align with the required resources: no binaries, no env vars, no installs. All requested capabilities (reading a SKILL.md from a path or URL and producing a report) are proportionate to the stated purpose.
Instruction Scope
Instructions are limited to static analysis of SKILL.md files (paths or URLs) and generating reports. This is within scope. Note: fetching a SKILL.md via URL will cause the agent to retrieve remote content (expected), and the auditor explicitly states it cannot detect runtime-only attacks — users should still manually review items flagged and be cautious about including secrets in SKILL.md content.
Install Mechanism
No install spec and no code files — lowest-risk model for an instruction-only skill. Nothing is written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. This is proportional for a static auditor and avoids unnecessary access to secrets or other services.
Persistence & Privilege
always is false and the skill is user-invocable. Model invocation is allowed (platform default) but there is no elevated persistence or requests to modify other skills or system settings.
Assessment
This skill is internally consistent and doesn't ask for secrets or installs, so it appears safe to install for use as a static SKILL.md auditor. Before using it: (1) avoid placing secrets or tokens inside SKILL.md files you audit, since fetching a URL exposes that content to the agent; (2) remember it's a static tool — it cannot detect runtime-only or delayed malicious behavior, so manually review warnings (especially undocumented network calls or unusual install steps); (3) be cautious sharing audit reports publicly if the audited SKILL.md contains sensitive information. If you need the auditor to fetch remote SKILL.md files, trust the source or fetch the file yourself and supply the local copy for analysis.

Like a lobster shell, security has layers — review code before you run it.

analysisvk97b6x86d52m96y9v9mpepzzjd81cta8auditvk97b6x86d52m96y9v9mpepzzjd81cta8clawhavocvk97b6x86d52m96y9v9mpepzzjd81cta8latestvk97b6x86d52m96y9v9mpepzzjd81cta8safetyvk97b6x86d52m96y9v9mpepzzjd81cta8securityvk97b6x86d52m96y9v9mpepzzjd81cta8trustvk97b6x86d52m96y9v9mpepzzjd81cta8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments