ClawHub

Pre-Install Scanner

v1.1.0

Pre-install safety check for ClawHub skills — scans for the 3 highest-risk signals before anything lands on disk. Free taster. Full 10-signal scanner in the...

0· 62·0 current·0 all-time
by@ordo-tech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirements and instructions: the skill fetches SKILL.md/meta from ClawHub and scans for exec+network, hardcoded URLs, and publisher verification. Required tools (web_fetch, web_search) are appropriate and no unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions are limited to fetching manifests, checking patterns (exec/network, URLs), and looking up publisher metadata. The docs show specific fetch endpoints and clear risk/rating rules. One minor note: the text says it "intercepts a clawhub install" — this is coherent if the platform invokes the skill pre-install, but the operator should confirm the platform actually triggers the skill at that hook.
Install Mechanism
No install spec and no code files that would be written or executed on disk; instruction-only approach is lowest-risk for installation. Nothing is downloaded from arbitrary URLs by the skill itself.
Credentials
No environment variables, keys, or config paths requested. The checks it performs (web fetch/search) do not require additional credentials, so requested access is proportionate to purpose.
Persistence & Privilege
Skill is not always-enabled and does not request elevated or cross-skill configuration changes. It instructs blocking installs and requiring --force overrides, which is appropriate behavior for a pre-install gate.
Assessment
This skill is instruction-only and coherent with its stated purpose: it fetches skill manifests and flags risky patterns before install, and it doesn't ask for secrets. Before installing, confirm your platform actually invokes pre-install skills at the install hook (so the "intercept" claim is meaningful). Also remember this is a free 3-signal taster — it is not a full audit, so consider running a post-install scanner or using the full Security Pack for deeper checks. Beware of external purchase links (Gumroad) if you consider buying the full pack.

Like a lobster shell, security has layers — review code before you run it.

latestvk9776yatn276gy36kf1bsr5dts84ff9e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments