ClawHub

skill-guard

Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads, hardcoded secrets, and other threats. Wraps clawhub install with mcp-scan pre-flight checks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 3.7k · 30 current installs · 34 all-time installs
byhola@jamesOuttake
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (pre-install scanning of ClawHub skills) matches the script and SKILL.md. The script uses clawhub to fetch a skill and uvx to run mcp-scan. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
SKILL.md and the script stay inside the stated scope (download to /tmp, run a scanner, install or quarantine). A notable behavior: the script supports --skip-scan and a force-overwrite option, which intentionally allow bypassing the scan; this is a legitimate convenience but reduces the security enforcement if used. The script does not read unrelated system files or request extra env vars beyond an optional CLAWHUB_WORKDIR.
Install Mechanism
There is no package install spec included (instruction-only + included script). The script invokes uvx mcp-scan@latest at runtime and suggests installing uv via a curl | sh installer. That means runtime fetching/execution of remote code (mcp-scan@latest and the uv installer). This is coherent with the goal (it needs a scanner) but introduces the usual supply-chain/runtime-fetch risks; consider pinning scanner versions or verifying uvx origin.
Credentials
No secrets or unrelated environment variables are requested. The only optional config is CLAWHUB_WORKDIR to override the skills directory, which is proportionate.
Persistence & Privilege
always is false and the skill does not try to modify other skills or global agent configuration. It moves staged skill files into the user's skills directory when installing, which is the intended behavior and within scope.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md explicitly discusses prompt injections and includes the phrase as an example; the regex-based detector flagged that pattern but in context it is describing the threat rather than attempting an injection.
Assessment
This skill appears to do what it says: stage a ClawHub skill, run mcp-scan, and install only if clean. Before using it: (1) be aware the script runs remote tooling (uvx mcp-scan@latest) and recommends installing uv via a curl|sh URL — consider pinning the scanner to a specific version and verifying uvx's source before running; (2) inspect the staged directory in /tmp/skill-guard-staging/ if issues are reported (or even before installing) — the script provides a manual mv command to install; (3) avoid using --skip-scan or --force unless you understand the risk (they bypass the scanner); (4) ensure your clawhub CLI is from a trusted source. These are precautionary notes, not contradictions in the skill's design.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97ednc1kzm3ga8r6g1dzc9wk980j6bw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

skill-guard

The only pre-install security gate for ClawHub skills.

Why skill-guard?

VirusTotal (ClawHub built-in)skillscanner (Gen Digital)skill-guard
When it runsAfter publish (server-side)On-demand lookupBefore install (client-side)
What it checksMalware signaturesTheir databaseActual skill content
Prompt injections
Data exfiltration URLs
Hidden instructions
AI-specific threats
Install blocking

VirusTotal catches known malware binaries — but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->.

skillscanner checks if Gen Digital has reviewed it — but can't scan new or updated skills.

skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.

The Problem

Skills can contain:

  • 🎭 Prompt injections — hidden "ignore previous instructions" attacks
  • 💀 Malware payloads — dangerous commands disguised in natural language
  • 🔑 Hardcoded secrets — API keys, tokens in plain text
  • 📤 Data exfiltration — URLs that leak your conversations, memory, files
  • ⛓️ Toxic flows — instructions that chain into harmful actions

One bad skill = compromised agent. Your agent trusts skills implicitly.

The Solution

# Instead of: clawhub install some-skill
./scripts/safe-install.sh some-skill

skill-guard:

  1. Downloads to staging (/tmp/) — never touches your real skills folder
  2. Scans with mcp-scan — Invariant/Snyk's security scanner for AI agents
  3. Blocks or installs — clean skills get installed, threats get quarantined

What It Catches

Real example — skill-guard flagged this malicious skill:

● [E004]: Prompt injection detected (high risk)
● [E006]: Malicious code pattern detected  
● [W007]: Insecure credential handling
● [W008]: Machine state compromise attempt
● [W011]: Third-party content exposure

VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.

Usage

# Secure install (recommended)
./scripts/safe-install.sh <skill-slug>

# With version
./scripts/safe-install.sh <skill-slug> --version 1.2.3

# Force overwrite
./scripts/safe-install.sh <skill-slug> --force

Exit Codes

CodeMeaningAction
0CleanSkill installed ✓
1ErrorCheck dependencies/network
2Threats foundSkill quarantined in /tmp/, review before deciding

When Threats Are Found

Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:

  1. Review — read the scan output, inspect the files
  2. Install anywaymv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/
  3. Discardrm -rf /tmp/skill-guard-staging/

Requirements

  • clawhub CLI — npm i -g clawhub
  • uvcurl -LsSf https://astral.sh/uv/install.sh | sh

Why This Matters

Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:

  • Read your secrets and send them elsewhere
  • Modify your agent's behavior permanently
  • Use your identity to spread to other systems

Trust, but verify. Scan before you install.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…