ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Klemenska Security Auditor

v1.0.0

Scan and audit installed skills for security risks, suspicious patterns, and permission overreach. Use when: (1) before installing a new skill; (2) periodica...

0· 57·0 current·0 all-time
by@klemenska
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the included scripts: audit.py and scan_skill.py implement scanning of installed skills, permission extraction, and report generation. No unrelated credentials, binaries, or installs are requested. However some scanner behaviours (see instruction_scope) are disproportionate or risky for a trustworthy auditor.
!
Instruction Scope
SKILL.md instructs running the included Python scripts which recursively read skill directories (default ~/.openclaw/workspace/skills). The scripts scan files for dangerous patterns and can generate reports. Concerning behaviours: audit/scan scripts intentionally skip or suppress many pattern flags when the filename contains 'audit' or 'scan', and audit_skill explicitly skips 'self-audit' for the security-auditor. These exceptions create an evasion surface where a malicious skill could name files to avoid detection or put malicious code inside similarly named files.
Install Mechanism
There is no install spec and no downloads — the skill is instruction + included Python scripts. That reduces supply-chain risk compared with remote installs.
Credentials
The skill requires no environment variables or credentials and only needs filesystem read access to the skills directory it audits. That access is appropriate for an auditor. It does not attempt network exfiltration in the provided code.
Persistence & Privilege
always:false and no special privileges are requested. The scripts read user skill files and produce reports; they do not modify other skills or system configurations. This is proportionate to an audit tool.
Scan Findings in Context
[skips_files_with_audit_or_scan] unexpected: scan_skill.check_file_safety intentionally suppresses many pattern flags when 'audit' or 'scan' appears in the filename/path (it still flags hardcoded credentials). This allows malicious code placed in files named with 'audit' or 'scan' to evade many detections — not expected for a robust auditor.
[self_audit_skip] expected: audit_skill skips self-audit to avoid false positives for the auditor itself. Self-exclusion is reasonable, but the implementation also compares skill_path to __file__ (which may not reliably identify the auditor), and combined with the filename-based suppression it widens the evasion surface.
[default_skills_path_read] expected: scan_installed_skills defaults to ~/.openclaw/workspace/skills and will read all skill directories there. This is expected behavior for a skill auditor, but it does mean the tool can access all installed skills' files.
[misclassified_patterns] unexpected: RED_FLAGS groups 'eval(' and 'exec(' under 'network' and other pattern-category mismatches exist; these logic/labeling errors could lead to incorrect risk classification and misleading reports.
[no_network_exfiltration_code] expected: No code in the included scripts performs network requests or exfiltration; the auditor appears local-only. This matches the skill's stated purpose.
What to consider before installing
This auditor generally does what it promises (scans skill files and produces reports) but I found design choices that could be abused to hide malicious code. Before you rely on its output: (1) review the auditor's own code yourself or have a trusted reviewer check it — pay special attention to files named with 'scan' or 'audit' because the scanner intentionally suppresses many flags for such filenames; (2) run the auditor in an isolated sandbox or ephemeral container that cannot access secrets (SSH keys, ~/.aws/, etc.) to avoid accidental disclosure; (3) test the auditor against known safe and malicious samples to confirm it detects the patterns you care about; (4) do not grant this tool network or broader system permissions without additional review. If you want, I can list the exact lines/locations in the included scripts that implement the filename-based suppression and the self-skip logic so you can inspect or patch them.
scripts/audit.py:32
Dynamic code execution detected.
scripts/scan_skill.py:95
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977g0fh5z05dmfqd5h78rqgwx83jr4k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments