ClawHub

Security Checker

v1.0.1

Security scanner for Python skills before publishing to ClawHub. Use before publishing any skill to check for dangerous imports, hardcoded secrets, unsafe file operations, and dangerous functions like eval/exec/subprocess. Essential for maintaining trust and ensuring published skills are safe for others to install and run.

0· 1.3k·1 current·1 all-time
by@johstracke
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe a pre-publish Python security scanner and the included script implements exactly that (pattern-based checks for dangerous imports/functions, hardcoded secrets, and unsafe file operations). Nothing requested (no env vars, no binaries, no config paths) is out of scope for that purpose.
Instruction Scope
SKILL.md instructs the agent/user to run the bundled security_scan.py against files or directories and to review warnings before publishing. The instructions do not tell the agent to read unrelated system state, secrets, or to transmit results externally; they stay within the stated scanning purpose.
Install Mechanism
There is no install spec (instruction-only plus a small local script). Nothing is downloaded or extracted from external URLs and no third-party packages are installed by the skill itself.
Credentials
The skill requests no environment variables or credentials. The scanner looks for hardcoded secrets in scanned files but does not itself require or access secrets — this is appropriate for a static scanner.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It is user-invocable and can be invoked autonomously (platform default), which is reasonable for a utility.
Assessment
What to consider before installing: - This tool is a local, static scanner (no network exfiltration or credential requests). It reads files you point it at and prints findings. - False positives are expected (e.g., legitimate uses of os, requests, or filesystem writes). Warnings require manual review and documentation as noted in SKILL.md. - The scanner itself is simple and readable; you can audit scripts/security_scan.py quickly to confirm behavior. - Because it flags hardcoded secrets, avoid running it in contexts where printing detected secrets to logs would leak sensitive data to others (the script avoids printing the secret contents but shows file/line info). - Complement this tool with manual review and other tools (bandit, safety) and run scans in an isolated environment when processing untrusted code.

Like a lobster shell, security has layers — review code before you run it.

auditvk978r13rsf8x4ydwncafata3zh80pjjzlatestvk978r13rsf8x4ydwncafata3zh80pjjzsafetyvk978r13rsf8x4ydwncafata3zh80pjjzsecurityvk978r13rsf8x4ydwncafata3zh80pjjztoolsvk978r13rsf8x4ydwncafata3zh80pjjz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments