ClawShield

Scan a skill directory without executing it and return a risk level that can be enforced in review or CI.

When to use

• You want a fast static review before installing or publishing a skill.
• You need machine-readable findings for CI or release gates.
• You want a narrow ruleset aimed at common high-risk supply-chain patterns.

Command

node {baseDir}/bin/clawshield.js scan /path/to/skill --format table
node {baseDir}/bin/clawshield.js scan /path/to/skill --format json
node {baseDir}/bin/clawshield.js scan /path/to/skill --format sarif > clawshield.sarif
node {baseDir}/bin/clawshield.js scan /path/to/skill --format table --fail-on caution

Rules

Rule ID	Severity	Description
CS001_CURL_PIPE_SH	high	curl or wget piped directly into a shell
CS002_OBFUSCATED_EXEC	high	obfuscated or dynamic execution such as eval, new Function, or base64 decode flows
CS003_SUSPICIOUS_CALLBACK	medium	suspicious outbound callback endpoints such as raw IPs, ngrok, or webhook collectors
CS004_SOCIAL_ENGINEERING_PROMPT	medium	instructions that pressure users to bypass safety controls
CS005_SHELL_WRAPPER_EXEC	high	bash -c wrappers that hide remote execution

Risk levels

• Safe: no findings after suppressions
• Caution: one or more medium-severity findings
• Avoid: one or more high-severity findings

Suppressions

Create .clawshield-suppressions.json in the target skill directory:

[
  {
    "ruleId": "CS001_CURL_PIPE_SH",
    "file": "install.sh",
    "line": 15,
    "justification": "Reviewed manually; uses a pinned artifact with signature verification."
  }
]

Suppressions without justification are ignored.

CI example

- run: node {baseDir}/bin/clawshield.js scan . --format sarif --fail-on caution

Boundaries

• ClawShield is a static scanner. It does not sandbox or execute the target skill.
• The rule set is intentionally narrow and should be treated as a high-signal first pass, not a full security audit.