ClawHub

skills-firewall

v1.0.0

Security firewall for skills that automatically blocks and filters malicious or potentially harmful skills. Use when: (1) Scanning skills for security threat...

0· 291·2 current·2 all-time
by@huzibbs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the package contains a scanner (scan_skill.py), a firewall/checker (firewall_check.py) and a report generator (generate_report.py). Required env/config access is minimal (none declared). However there are implementation inconsistencies between components: scan_skill uses regex-based threat indicators while firewall_check does simple case-insensitive substring matching against rules. That mismatch can lead to different outcomes between scanning and firewalling. Also the ActionType enum and how action values are produced/compared appears buggy (ActionType members are defined as tuples but code later treats .value like a string), which could break decision logic.
Instruction Scope
SKILL.md instructs the agent to run the included scripts against arbitrary skill paths. The code will recursively read any file under the provided path with common source extensions ('.py', '.sh', '.js', '.ts', '.ps1', '.md', '.bat') via os.walk — this is expected for a scanner but means the tool will read any files you point it to (including sensitive files if you give it a broad path). The scripts do not perform network calls or exfiltrate data, but they will collect and return matched snippets and metadata about files they read.
Install Mechanism
No install spec or remote downloads. This is instruction-only with bundled Python scripts that run locally. That minimizes supply-chain risk from installation, assuming you run the code locally and don't modify it to fetch remote artifacts.
Credentials
The skill declares no required environment variables, credentials, or config paths. The code also does not attempt to read environment variables beyond typical YAML/config files — so requested permissions match the described purpose.
Persistence & Privilege
Flags show always:false and model invocation allowed (normal). The skill does not request persistent installation or modify other skills' configs. It can export/import a local YAML config and write to a quarantine directory (default './quarantine') which is within the scope of a firewall tool.
Scan Findings in Context
[filesystem_read_os_walk] expected: The scanner uses os.walk to read all files under the provided skill path and will open .py/.md/.sh/.js/etc files. This is expected for a static scanner but means it will read any file you point it at (including secrets if you scan a directory that contains them).
[detection_pattern_mismatch] unexpected: Two different detection approaches are present: scan_skill.py uses regex-based ThreatIndicator patterns, while firewall_check.py uses simple case-insensitive substring matching on rule.patterns. That can produce different matches and inconsistent threat levels between scan and firewall decisions.
[action_enum_value_bug] unexpected: ActionType enum members are defined as tuples (priority, string) but the code manually sets an internal _value_ and later compares decision.action to ActionType.<X>.value. This is likely a logic/typing bug that can cause decisions to be returned or compared in unexpected formats (tuple vs string), breaking filtering logic.
What to consider before installing
This package appears to implement exactly what it claims (a local skills scanner/firewall), but review the code before trusting it on important data. Recommended steps before using or installing: 1) Inspect and run the scripts in a sandbox or unprivileged environment (do not point them at system root or directories with secrets). 2) Test on known-good and intentionally-malicious sample skills to verify decisions and to see whether scan_skill and firewall_check agree. 3) Pay attention to the ActionType handling and decision outputs — the enum/value handling looks buggy and could cause misclassification or no action. 4) Consider hardening rules to avoid blocking useful legitimate code (the rules are conservative and substring-based in places, causing false positives). 5) If you will run this in automation, ensure the quarantine behavior and export/import config paths are safe for your environment. If you are not comfortable auditing the Python code, treat this as untrusted and do not run it on sensitive directories.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b92dc7a8jcjq0ngxr6609t9825exr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments