ClawHub

skill-guard

v1.0.2

Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads, hardcoded secrets, and other threats. Wraps clawhub install with mcp-scan pre-flight checks.

2· 8.3k·59 current·64 all-time
byhola@jamesouttake
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (pre-install scanning of ClawHub skills) matches the script and SKILL.md. The script uses clawhub to fetch a skill and uvx to run mcp-scan. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
SKILL.md and the script stay inside the stated scope (download to /tmp, run a scanner, install or quarantine). A notable behavior: the script supports --skip-scan and a force-overwrite option, which intentionally allow bypassing the scan; this is a legitimate convenience but reduces the security enforcement if used. The script does not read unrelated system files or request extra env vars beyond an optional CLAWHUB_WORKDIR.
Install Mechanism
There is no package install spec included (instruction-only + included script). The script invokes uvx mcp-scan@latest at runtime and suggests installing uv via a curl | sh installer. That means runtime fetching/execution of remote code (mcp-scan@latest and the uv installer). This is coherent with the goal (it needs a scanner) but introduces the usual supply-chain/runtime-fetch risks; consider pinning scanner versions or verifying uvx origin.
Credentials
No secrets or unrelated environment variables are requested. The only optional config is CLAWHUB_WORKDIR to override the skills directory, which is proportionate.
Persistence & Privilege
always is false and the skill does not try to modify other skills or global agent configuration. It moves staged skill files into the user's skills directory when installing, which is the intended behavior and within scope.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md explicitly discusses prompt injections and includes the phrase as an example; the regex-based detector flagged that pattern but in context it is describing the threat rather than attempting an injection.
Assessment
This skill appears to do what it says: stage a ClawHub skill, run mcp-scan, and install only if clean. Before using it: (1) be aware the script runs remote tooling (uvx mcp-scan@latest) and recommends installing uv via a curl|sh URL — consider pinning the scanner to a specific version and verifying uvx's source before running; (2) inspect the staged directory in /tmp/skill-guard-staging/ if issues are reported (or even before installing) — the script provides a manual mv command to install; (3) avoid using --skip-scan or --force unless you understand the risk (they bypass the scanner); (4) ensure your clawhub CLI is from a trusted source. These are precautionary notes, not contradictions in the skill's design.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ednc1kzm3ga8r6g1dzc9wk980j6bw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments