ClawHub

SkillGuard Scanner

v1.1.0

Security scanner for OpenClaw/ClawHub skills. Detects malware, reverse shells, credential theft, prompt injection, memory poisoning, typosquatting, and suspicious prerequisites before installation. Use when installing new skills, auditing existing skills, checking a skill name for typosquatting, or scanning ClawHub skills for security risks.

2· 1.6k·5 current·7 all-time
by@msgnoki

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for msgnoki/skillguard-scanner.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SkillGuard Scanner" (msgnoki/skillguard-scanner) from ClawHub.
Skill page: https://clawhub.ai/msgnoki/skillguard-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skillguard-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install skillguard-scanner
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included files: SKILL.md documents running scripts/scanner.py to scan skills or check names; the included scanner.py contains heuristics for reverse shells, obfuscation, credential access, typosquatting, etc. No unrelated environment variables, binaries, or install steps are required.
Instruction Scope
Instructions tell the agent/user to run the bundled Python scanner and optionally use --fetch-clawhub (which requires the external 'clawhub' CLI). The scanner will read skill files to look for suspicious patterns (expected). Note: --fetch-clawhub will require network access and the external CLI; review any network-facing operations and where reports are written ({baseDir}/../data/scan_results.json).
Install Mechanism
No install spec — code is shipped in the skill bundle. This is the lowest-risk distribution method (nothing is downloaded or executed automatically during install). The scanner is run explicitly by the user/agent.
Credentials
The skill declares no required environment variables or credentials. The scanner's detection patterns reference common secret names (e.g., OPENAI_API_KEY) only to find them in scanned files; that is appropriate for a scanner and does not imply the skill needs those secrets itself.
Persistence & Privilege
The skill is not always-included and is user-invocable. It does not request persistent agent privileges or modify other skills' configs. It writes a JSON report to a relative data path, which is reasonable for a scanner.
Assessment
This skill appears to do what it advertises, but treat any security tool as you would any code: (1) Inspect scripts/scanner.py yourself before running (it's included in the bundle). (2) Run it in a restricted environment or with least privilege (do not run as root/administrator). (3) Be aware --fetch-clawhub will use network access and an external 'clawhub' CLI; verify that CLI before using. (4) Review flagged results manually — scanners have false positives and may flag benign tooling. (5) If you plan to automate or allow autonomous invocation, consider the same sandboxing and review controls to limit blast radius.

Like a lobster shell, security has layers — review code before you run it.

auditvk97fwcgtg7swnf9a3gg1hkgqjs80z1etlatestvk97fwcgtg7swnf9a3gg1hkgqjs80z1etmalwarevk97fwcgtg7swnf9a3gg1hkgqjs80z1etscannervk97fwcgtg7swnf9a3gg1hkgqjs80z1etsecurityvk97fwcgtg7swnf9a3gg1hkgqjs80z1et
1.6kdownloads
2stars
2versions
Updated 2mo ago
v1.1.0
MIT-0
@msgnoki
auditlatestmalwarescannersecurity
Download

SkillGuard — Skill Security Scanner

Scan OpenClaw skills for security threats before they compromise your system.

Quick Start

Scan all installed skills

python3 {scripts}/scanner.py

Scan a single skill

python3 {scripts}/scanner.py --skill <skill-name>

Check a skill name for typosquatting

python3 {scripts}/scanner.py --check-name <name>

Scan from ClawHub before installing

python3 {scripts}/scanner.py --fetch-clawhub <skill-name>

What It Detects

Critical Threats

  • Reverse shellsnc -e, bash -i >& /dev/tcp, ncat, mkfifo
  • Code obfuscationbase64 -d | bash, eval(), exec() with encoded payloads

High Threats

  • Suspicious URLswebhook.site, glot.io, ngrok.io, pastebin.com
  • Memory poisoning — Instructions to write to SOUL.md, MEMORY.md, AGENTS.md
  • Malicious prerequisites — Download instructions in docs (the ClawHavoc attack vector)

Medium Threats

  • Credential access — Patterns accessing .env, API keys, tokens, SSH keys
  • Data exfiltration — Outbound HTTP POST/PUT with sensitive data
  • Hardcoded IPs — Public IPs embedded in code
  • Typosquatting — Skill names similar to popular/known skills (Levenshtein ≤ 2)
  • Crypto wallet access — Seed phrases, private keys, wallet patterns

Low Threats

  • Shell executionsubprocess, os.system, child_process (common but worth noting)

Interpreting Results

Risk Levels

  • 🔴 CRITICAL (≥50) — Do NOT install. Likely malicious.
  • 🟠 HIGH (25-49) — Review manually before installing. Multiple suspicious patterns.
  • 🟡 MEDIUM (10-24) — Some flags, likely false positives but worth checking.
  • 🟢 LOW (1-9) — Minor flags, generally safe.
  • ✅ CLEAN (0) — No issues detected.

False Positive Likelihood

Each finding includes a FP estimate (low/medium/high):

  • low — Likely a real threat
  • medium — Could be legitimate, review context
  • high — Probably benign (e.g., security tool referencing attack patterns, search tool using fetch)

Workflow: Before Installing a Skill

  1. Run python3 {scripts}/scanner.py --fetch-clawhub <skill-name> (requires clawhub CLI)
  2. Review the report — anything CRITICAL or HIGH with low FP = reject
  3. If CLEAN or LOW only → safe to install
  4. If MEDIUM → skim the flagged files manually

Output

  • Console summary with emoji risk levels
  • JSON report saved to {baseDir}/../data/scan_results.json (configurable via --json-out)

Context: Why This Matters

As of February 2026, 341 malicious skills were found on ClawHub (Koi Security / ClawHavoc campaign), distributing Atomic Stealer malware via fake prerequisites. OpenClaw has 512 known vulnerabilities (Kaspersky audit). There is no official skill vetting process. SkillGuard fills this gap.

See references/threat-landscape.md for detailed background.

Comments

Loading comments...