ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-audit

Security scanner for OpenClaw skills. Analyzes skill folders and .skill files for: prompt injection, data exfiltration, malicious scripts, suspicious network...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
by@produktentdecker
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included files: SKILL.md documents a scanner and scripts/scan_skill.py implements static checks. No unrelated credentials, binaries, or install steps are requested — this aligns with a local static analysis tool.
Instruction Scope
Instructions are primarily scoped to scanning installed skill folders and optionally deleting a flagged skill. This is appropriate for a pre-install scanner, but the SKILL.md tells the agent to run 'rm -rf <skill-path>' on user confirmation — destructive operations are expected for removal, but they must be performed carefully (ensure path sanitization and explicit user consent). A prompt-injection signal ('ignore-previous-instructions') was flagged inside SKILL.md which could indicate attempted manipulation of an automated evaluation or is a false positive; this needs manual verification.
Install Mechanism
No install spec; this is instruction + bundled script only. No downloads or remote installers are invoked by the skill itself, which keeps install risk low.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The bundled scanner looks for references to API keys and env vars in other skills, which is expected behavior for a scanner and does not mean the scanner itself needs those secrets.
Persistence & Privilege
always:false (default) and model invocation is allowed (default). The skill does not request permanent inclusion or system configuration changes. The ability to delete files is present in its recommended workflow, but that is not the same as requesting elevated, persistent privileges.
Scan Findings in Context
[pre-scan-prompt-injection:ignore-previous-instructions] unexpected: SKILL.md content triggered a prompt-injection pattern 'ignore-previous-instructions'. A scanner's README could include example adversarial text or a warning that triggered the detector; either way this should be inspected manually to confirm it's not trying to manipulate an evaluation pipeline.
[dangerous-pattern:rm-rf] expected: The scanner's own pattern list explicitly looks for 'rm -rf' as a dangerous pattern. Finding references to rm -rf in instructions or detection rules is expected for a security scanner, but any actual invoked deletion must be verified to avoid path-traversal or accidental system deletion.
[dangerous-pattern:exec-subprocess-eval] expected: The scanner contains regexes for eval/exec/subprocess/etc. This is expected because it scans for these constructs in other skills. Presence of these detection patterns inside the scanner is not itself malicious but merits review of the scanner code path to ensure it does not execute scanned artifacts.
What to consider before installing
This skill appears to be a legitimate static scanner bundled with a Python script, but exercise caution before using it as an automated pre-install hook. Actions to take before installing/auto-running: (1) Manually inspect scripts/scan_skill.py for any code that makes network calls, forks processes, or executes scanned files — confirm it only reads files and writes local JSON. (2) Confirm the SKILL.md prompt-injection flag is harmless (e.g., example text) and not an attempt to influence other automated tools. (3) If you intend to allow automated deletion on 'critical' findings, verify the code constructs the deletion path safely and that you will be prompted for explicit confirmation; never allow blind rm -rf operations. (4) Prefer to run the scanner in an isolated environment (container or sandbox) the first time and cross-check results with an independent tool. (5) If provenance matters, verify the GitHub repository and publisher identity before trusting the skill widely.
scripts/scan_skill.py:250
Shell command execution detected (child_process).
scripts/scan_skill.py:249
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk971ywq5x9bhx8rtn5rywsjvxs83kene

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill Audit — Security Scanner for OpenClaw Skills

Pre-install security hook. Scan skills before trusting them.

Pre-Install Hook Workflow (MANDATORY)

When any new skill is installed via clawhub install, follow this workflow:

  1. Let clawhub install <slug> run (it downloads to skills/ or ~/.openclaw/skills/)

  2. Immediately scan the installed skill:

    python3 {baseDir}/scripts/scan_skill.py <path-to-installed-skill> --json

  3. Read the JSON output and check overall_risk

  4. Report to the user based on risk:

    • 🟢 Low: "🛡 Skill <name> gescannt: sicher. Keine verdaechtigen Patterns gefunden."
    • 🟡 Medium: "🛡 Skill <name>: pruefenswert. [N] Findings (z.B. liest API Keys, macht HTTP Requests). Details: [kurze Liste]. Willst du ihn trotzdem aktivieren?"
    • 🔴 High: "⚠️ Skill <name>: riskant! [Findings auflisten]. Empfehlung: Nur in Sandbox ausfuehren. Behalten oder loeschen?"
    • Critical: "🚨 Skill <name>: GEFAEHRLICH! [Top-Findings]. Empfehlung: Sofort loeschen. Soll ich ihn entfernen?"

  5. If critical: offer to delete the skill folder immediately

  6. If user confirms deletion: rm -rf <skill-path>

Manual Scan

python3 {baseDir}/scripts/scan_skill.py <path-to-skill>

JSON output:

python3 {baseDir}/scripts/scan_skill.py <path-to-skill> --json

Accepts skill folders (containing SKILL.md) and packaged .skill files.

Bulk Scan (all installed skills)

Scan every skill in a directory:

for d in ~/.openclaw/skills/*/; do
  python3 {baseDir}/scripts/scan_skill.py "$d"
  echo ""
done

What It Detects

  1. Prompt Injection — hidden instructions, identity overrides, audit evasion, invisible unicode, HTML comments
  2. Data Exfiltration — base64+POST, reverse shells, data capture services (webhook.site, requestbin)
  3. Dangerous Code — eval/exec, dynamic imports, unsafe deserialization, subprocess, raw sockets
  4. File System Abuse — path traversal, SSH key access, system files, OpenClaw config
  5. Network Connections — URL extraction + classification, hardcoded IPs, known API endpoints
  6. Secret Access — env var reads, API key references, credential patterns
  7. Permission Scope — required binaries, env vars, network-capable tools

Risk Levels

  • 🟢 Low — no concern
  • 🟡 Medium — review, could be legitimate
  • 🔴 High — likely dangerous, review carefully
  • Critical — almost certainly malicious

Limitations

Static analysis catches patterns, not intent. Cannot detect:

  • Logic-level attacks (subtly biased outputs)
  • Obfuscated code beyond known patterns
  • Runtime-only behavior (code fetched from URL then executed)

Combine with manual review for high-stakes deployments.

Source Code

GitHub: https://github.com/ProduktEntdecker/skill-audit

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…