ClawHub

Security Audit by Jason

v1.0.0

Security audit for external resources (GitHub repos, downloaded skills, files). Detects malicious code, suspicious executables, and content mismatches. Use w...

0· 195·0 current·0 all-time
by@ithacajason·duplicate of @ithacajason/jason-security-audit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match implementation: the skill includes a Python script (audit.py) that performs static checks, and the only declared requirement is python3. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs running audit.py against a local repo and suggests inserting it into workflows (after git clone / clawhub install). The script scans files recursively in the provided directory for suspicious patterns and large single-line files; it does not attempt to read environment secrets or reach external endpoints. Note: the README/SKILL.md suggests automatic invocation by OpenClaw but the package contains no install hooks — wiring into CI/clone workflows is manual.
Install Mechanism
No install spec; this is instruction + script only. The script is local and there are no downloads or extract steps that would pull arbitrary remote code.
Credentials
The skill requires no environment variables, no credentials, and only needs read access to the scanned directory. No credentials or unrelated external service tokens are requested.
Persistence & Privilege
always is false and the script does not write persistent configuration or modify other skills. It prints reports to stdout / optional output file only. Enabling automatic invocation would be a user action.
Assessment
This appears to be a local static-audit tool; it's coherent with its description. Before installing or auto-wiring it into workflows: (1) review audit.py yourself so you trust the logic, (2) run it in an isolated environment (VM/container) the first few times, (3) remember it's heuristic-only and can produce false positives (large data files, minified code), and (4) do not rely on it as a sole defense — use it as a pre-check and perform manual review for critical code. If you plan to auto-run it after every git clone, be aware you must add that hook yourself; the skill does not auto-install that behavior.

Like a lobster shell, security has layers — review code before you run it.

auditvk97ds1378tzdkyxmp2mpcm8z5d82c2z6latestvk97ds1378tzdkyxmp2mpcm8z5d82c2z6safetyvk97ds1378tzdkyxmp2mpcm8z5d82c2z6securityvk97ds1378tzdkyxmp2mpcm8z5d82c2z6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binspython3

Comments