ClawHub

Skillscan

v1.0.0

Scan an OpenClaw SKILL.md file for security threats before installing it. Posts the raw SKILL.md content and gets back a safety score (0-1), detected threat...

0· 34·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (SKILL.md scanner) align with required binary (python), listed pip packages (fastapi, uvicorn, pydantic), and included code files which implement a local FastAPI scanner. No unrelated credentials, config paths, or unrelated binaries are requested.
Instruction Scope
SKILL.md instructs running a local uvicorn server and POSTing raw SKILL.md content to it — this is appropriate for a scanner, but the endpoint accepts raw skill content (which might itself contain secrets). The detector logic is rule-based (regexes) and may produce false positives (e.g., harmless docs mentioning API_KEY) or false negatives for novel obfuscation; the SKILL.md does not request the agent to read arbitrary system files or other unrelated environment variables.
Install Mechanism
Install spec is a uv-style pip install of known Python packages (fastapi, uvicorn, pydantic) — this is proportionate. The registry metadata shows an 'uv' install entry which appears to map to pip; the spec is not a remote arbitrary binary download. Confirm that the platform's install runner will install these packages from a trusted registry (PyPI).
Credentials
No environment variables, secrets, or config paths are requested. The code does not reference external credentials. This is proportionate for a local scanning utility.
Persistence & Privilege
always is false and the skill does not request elevated/system-wide privileges or alter other skills' configs. It runs as a normal local service (uvicorn) and does not claim permanent elevated presence.
Assessment
This skill appears internally consistent and appropriate for scanning SKILL.md files. Before installing: (1) verify that the platform will install the listed pip packages from trusted sources (PyPI) and not a mirror you don't control, (2) run the uvicorn server locally and avoid exposing its port to the public (it accepts raw SKILL.md content, which could include sensitive data), and (3) treat its results as heuristic — the scanner uses regex rules that can both false-flag benign content and miss cleverly obfuscated threats, so manual review of any suspicious findings is still recommended.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vhdyxccy6cv1de20rqzm5584s1jj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython

Install

uv

Comments