ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OmniAudit

v1.0.4

Security scanner for OpenClaw skills, SKILL.md files, and code. Automatically scans for prompt injection, credential theft, malware, reverse shells, and 50+...

0· 69·0 current·0 all-time
by@legarams
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (a remote security scanner) match the SKILL.md: it describes free GitHub-URL scans and paid snippet or deep scans via https://omniaudit.fly.dev. No unrelated credentials, binaries, or install steps are requested, which is proportionate to a network-based scanner.
Instruction Scope
Instructions explicitly require user consent before sending local files or initiating payment and describe which endpoints (/audit, /audit/deep) are used. This is appropriate, but the skill necessarily sends code/ZIPs to an external service — a privacy/exfiltration risk that is inherent to any remote scanner and should be noted to users. The SKILL.md is reasonably prescriptive about consent, but cannot be verified for runtime adherence without implementation code.
Install Mechanism
No install spec and no code files are included (instruction-only). That minimizes local-write risk; the skill relies on network requests only.
Credentials
The skill requests no environment variables or credentials; payment is described to use the x402 protocol on Base and is required only with explicit user consent. No disproportionate secret access is requested.
Persistence & Privilege
Skill does not request always:true or any elevated persistence. It is user-invocable and allows model invocation (default), which is expected for a service-invoking skill.
Assessment
This skill is coherent for a remote code scanner: it will send code or repo ZIPs to https://omniaudit.fly.dev and may ask you to pay per-scan (described in SKILL.md). Before using it: (1) verify you trust the OmniAudit service and its homepage, privacy, and payment handling; (2) do not send secrets, private keys, or sensitive production code unless you accept that it will leave your environment; (3) require the agent to obtain explicit consent before any payment or transmission (the SKILL.md demands this, but you should verify it in practice); and (4) if you prefer not to expose code externally, use a local/offline scanner instead. Because this is instruction-only with no code to audit, we cannot inspect the server-side behavior — that is why confidence is medium rather than high.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yywncs91az175f3kjjkrph83r16tmalwarevk97ab1t4xgay8s52t4petsr6fx83h88bscannervk97ab1t4xgay8s52t4petsr6fx83h88bsecurityvk97ab1t4xgay8s52t4petsr6fx83h88bskillsvk97ab1t4xgay8s52t4petsr6fx83h88bx402vk97ab1t4xgay8s52t4petsr6fx83h88b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments