ClawHub

Skill Security Scanner by dxx

v1.0.0

Scan installed OpenClaw skills for potential security risks. Use when you want to check if skills contain dangerous commands, access sensitive paths, or have...

0· 71·0 current·0 all-time
by@ntaffffff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match behavior: the code scans ~/.openclaw/workspace/skills for dangerous commands, sensitive paths, and network-call patterns. The requested resources (none) align with a local scanner.
Instruction Scope
SKILL.md instructs running the included Python script from the skills directory which is consistent with its purpose. The scanner reads all non-ignored files under the skills tree (may read files that contain secrets), and it ignores some document filetypes; these are implementation choices (may cause false negatives/positives) but not scope creep.
Install Mechanism
No install spec; the skill is instruction+script only. Nothing is downloaded or written to disk by an installer step beyond the existing skill files.
Credentials
No environment variables, credentials, or config paths are requested. The scanner only looks for sensitive path strings in other skills' files; it does not attempt to read external secrets or ask for unrelated credentials.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill does not modify other skills or global agent settings; it simply reads files under the skills directory.
Assessment
This script appears to be a straightforward local scanner. Before running it, inspect the skill_scan.py yourself (you already have the source) and confirm it contains no network calls or code-execution paths (it does not). Run it in a safe/test environment if any skills contain sensitive secrets, since the scanner will read files under ~/.openclaw/workspace/skills. If you use it regularly, consider improving false-positive handling and binary detection, and avoid trusting scanner output as a replacement for manual review of flagged files.

Like a lobster shell, security has layers — review code before you run it.

latestvk971c0wbxp8rvt8y6mw6p0ncen84ec77safetyvk971c0wbxp8rvt8y6mw6p0ncen84ec77scanvk971c0wbxp8rvt8y6mw6p0ncen84ec77securityvk971c0wbxp8rvt8y6mw6p0ncen84ec77skillvk971c0wbxp8rvt8y6mw6p0ncen84ec77

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments