Openclaw Skill Scanner
v1.0.2Security gate for OpenClaw AgentSkills. Scans folder/ClawHub skills with cisco-ai-defense/skill-scanner before installation. Supports manual scans, staged in...
⭐ 2· 977·1 current·1 all-time
byJason O'Neal@jason-allen-oneal
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the actual behavior: scripts clone/run a skill-scanner, scan user/builtin skills, and quarantine High/Critical findings. The declared runtime tooling in SKILL.md (uv, npx, git, systemctl) aligns with what the scripts call. One minor inconsistency: the registry metadata lists no required env vars, while SKILL.md references OPENCLAW_STATE_DIR and OPENCLAW_WORKSPACE_DIR (the scripts use these with sane defaults).
Instruction Scope
The scripts stay within the stated scope (scan directories, write reports, move failing skill dirs into a quarantine path). They do not read or transmit secrets or access unrelated system config. Important: they run third‑party tooling (uv run skill-scanner, npx clawhub) which executes code from the scanner repo / npm packages — this is expected for a scanner but increases the trust surface. The quarantine logic is careful to only move directories under the user's skills dir.
Install Mechanism
No formal install spec (instruction-only) — scripts instruct cloning the scanner repo from GitHub and using 'uv' and 'npx'. That means remote code (GitHub repo and npm packages) will be fetched and executed by the user. The scripts themselves do not download arbitrary binaries or use obscure URLs; they rely on widely used hosts (github.com, npm via npx).
Credentials
The skill does not request credentials or secrets and only needs workspace/state paths (OPENCLAW_STATE_DIR, OPENCLAW_WORKSPACE_DIR). Those are proportional to its purpose. The registry metadata not listing them is a minor metadata omission but not a dangerous behavior. No unrelated environment variables or config paths are accessed.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not attempt to modify other skills' configuration or system-wide settings beyond recommending/using systemd --user units; the systemd unit templates are optional and run as the user. The quarantine move is limited to ~/.openclaw/skills/* and is performed only on High/Critical findings.
Assessment
This skill does what it says: it runs a scanner and can auto‑quarantine skills with High/Critical findings. Before enabling it, consider: 1) it executes third‑party code (the scanner from the GitHub repo and npm packages via npx/uv), so you must trust those upstream projects; 2) it will move (quarantine) user skill directories when High/Critical findings occur — back up your ~/.openclaw/skills if you want a safety copy; 3) it expects 'uv' and 'npx' (and optionally systemd --user) to be available — install and test those first; 4) review the scanner's code/behavior (cisco-ai-defense/skill-scanner and any npm packages used) if you need a higher assurance level. If you are uncomfortable with automated moves, run the scripts manually in a staging environment first.Like a lobster shell, security has layers — review code before you run it.
latest
Jason O'Neal@jason-allen-oneal
DownloadSkill Scanner Guard
Harden OpenClaw’s skill supply chain:
- Scan skills with cisco-ai-defense/skill-scanner
- Block only on High/Critical
- Allow Medium/Low/Info but warn
- Auto-scan on changes to
~/.openclaw/skills - Quarantine failing skills to
~/.openclaw/skills-quarantine
Quick start
Install skill-scanner (repo + uv env)
cd "$HOME/.openclaw/workspace"
# or wherever you keep repos
git clone https://github.com/cisco-ai-defense/skill-scanner
cd skill-scanner
CC=gcc uv sync --all-extras
Note: some environments try gcc-12 while building yara-python; forcing CC=gcc avoids that.
Workflows
1) Scan all user skills (manual)
User skills live at:
~/.openclaw/skills
Run:
$HOME/.openclaw/skills/skill-scanner-guard/scripts/scan_openclaw_skills.sh
Outputs go to:
/home/rev/.openclaw/workspace/skill_scans/
2) Install a folder skill with scan gate (copy/clone workflow)
Use the wrapper instead of copying directly:
$HOME/.openclaw/skills/skill-scanner-guard/scripts/scan_and_add_skill.sh /path/to/skill-dir
Policy:
- Block only if High/Critical exist (unless
--force) - Still installs if only Medium/Low/Info exist, but prints a warning summary
3) Install from ClawHub with scan gate (staging install)
Install to a staging dir, scan, then copy into ~/.openclaw/skills only if allowed:
$HOME/.openclaw/skills/skill-scanner-guard/scripts/clawhub_scan_install.sh <slug>
# optionally
$HOME/.openclaw/skills/skill-scanner-guard/scripts/clawhub_scan_install.sh <slug> --version <version>
4) Auto-scan + quarantine on change (systemd user units)
Install the units (templates are in references/):
mkdir -p ~/.config/systemd/user
cp -a "$HOME/.openclaw/skills/skill-scanner-guard/references/openclaw-skill-scan."* ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable --now openclaw-skill-scan.path
Behavior:
- Any change under
~/.openclaw/skills/triggersscripts/auto_scan_user_skills.sh - If High/Critical findings exist, the script moves failing skill directories to:
~/.openclaw/skills-quarantine/<skillname>-<timestamp> - Reports are written to:
/home/rev/.openclaw/workspace/skill_scans/auto/
Inspect:
systemctl --user status openclaw-skill-scan.path
journalctl --user -u openclaw-skill-scan.service -n 100 --no-pager
ls -la ~/.openclaw/skills-quarantine
Bundled resources
scripts/
scan_openclaw_skills.sh: generate markdown reports for user + bundled skillsscan_and_add_skill.sh: scan candidate folder skill; install only if allowedclawhub_scan_install.sh: stage-install from ClawHub, scan, then installauto_scan_user_skills.sh: scan-all on~/.openclaw/skillschanges; quarantine High/Critical failures
references/
openclaw-skill-scan.path/openclaw-skill-scan.service: systemd --user path trigger units
Comments
Loading comments...