360Guard
v1.0.0360-degree comprehensive security review Skill. Use before installing any Skill from ClawHub, GitHub, or other sources. Performs full security scans includin...
⭐ 0· 265·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and included scripts (Node scanner + quick/full bash scans) are consistent with a 'skill vetter' — it performs static pattern checks and produces reports. However, the Node scanner intentionally excludes a 'scripts' directory (EXCLUDE_DIRS includes 'scripts'), which is surprising for a scanner because many malicious behaviors live in script directories; this exclusion undermines the stated goal of comprehensive scanning and is disproportionate to the purpose.
Instruction Scope
SKILL.md instructs running the provided quick/full scans and the Node scanner against target Skill folders (expected). But a pre-scan detected unicode-control-chars in SKILL.md (prompt-injection pattern), which is suspicious and could indicate an attempt to influence or confuse automated evaluators or viewers. The scripts read files under the target path and write a report into the same scanned directory (360guard-report-*.txt) — writing reports is expected, but running these tools on untrusted code should be done in a sandbox. The scanner's pattern list includes process.env and credential regexes to detect sensitive access (expected), but the exclusion of 'scripts' can create blind spots.
Install Mechanism
No install spec is present (instruction-only with shipped scripts). That is lower risk than arbitrary remote downloads. The skill ships local scripts rather than pulling code at install time, so nothing is downloaded from unknown URLs during installation.
Credentials
The skill declares no required environment variables or credentials, and its scanners only look for sensitive patterns in target code rather than requesting secrets. There is no disproportionate credential request. (Be aware the scanner flags process.env usages when scanning other code — that's normal for a vetter.)
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills' configs. It will create report files in the scanned directory, which is reasonable for a scanner, but you should run it in a sandbox when scanning untrusted packages.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode-invisible characters were detected inside SKILL.md. A vetting tool shouldn't include prompt-injection characters in its own instructions; this may be accidental (copy/paste) but could also be an attempt to manipulate automated readers. Recommend inspecting SKILL.md for hidden control characters and removing them or asking the author for clarification.
What to consider before installing
This skill is a scanner and generally does what it says, but I found two things to worry about: (1) the Node scanner excludes a 'scripts' directory from scanning, which could hide malicious scripts from its own checks — that contradicts 'comprehensive' scanning and should be fixed or at least documented; (2) SKILL.md contains unicode control characters (prompt-injection signal) — inspect and remove them or ask the publisher why they're present. Before running 360Guard on untrusted Skills, do these steps: run it on a copy of the target in an isolated environment (container or VM), manually inspect the target's scripts/ and any files the scanner would skip, examine scripts/scanner.cjs and the bash scripts to ensure they are benign, and avoid scanning targets that contain sensitive credentials unless done in a fully controlled sandbox. If the author or source is known and you can confirm the control chars are benign and the 'scripts' exclusion is intended and documented, this assessment would move toward benign.scripts/scanner.cjs:16
Shell command execution detected (child_process).
scripts/full-scan.sh:26
Dynamic code execution detected.
scripts/scanner.cjs:15
Dynamic code execution detected.
scripts/scanner.cjs:53
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestskill vetter
360Guard 🛡️
360-degree comprehensive security review — Like antivirus for your Skills
1. When to Use
- Before installing any Skill from ClawHub
- Before installing any Skill from GitHub or other sources
- When evaluating code shared by other Agents
- Any time you're asked to install unknown code
- Periodic audit of installed Skills (recommended monthly)
- Before running high-risk Skills for second verification
2. Core Principles
┌─────────────────────────────────────────────────────────────┐
│ 🛑 Security Layer Priority │
├─────────────────────────────────────────────────────────────┤
│ ⛔ EXTREME → Absolutely refuse to install │
│ 🔴 HIGH → Requires human approval │
│ 🟡 MEDIUM → Full code review + limited permissions │
│ 🟢 LOW → Basic review OK │
└─────────────────────────────────────────────────────────────┘
3. Security Checklist
3.1 Base Red Flags (from Skill Vetter)
🚨 Reject immediately if you see:
────────────────────────────────────────────────────────────
• curl/wget to unknown URLs
• Sends data to external servers
• Requests credentials/tokens/API keys
• Reads ~/.ssh, ~/.aws, ~/.config without clear reason
• Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
• Uses base64 decode on anything
• Uses eval() or exec() with external input
• Modifies system files outside workspace
• Installs packages without listing them
• Network calls to IPs instead of domains
• Obfuscated code (compressed, encoded, minified)
• Requests elevated/sudo permissions
• Accesses browser cookies/sessions
• Touches credential files
────────────────────────────────────────────────────────────
3.2 Extended Red Flags (New)
3.2.1 Persistence & Auto-start
🔴 Persistence check:
• Creates cron job / systemd service
• Modifies ~/.ssh/authorized_keys
• Writes to /etc/hosts
• Adds Login Items / Startup Items
• Modifies .bashrc / .zshrc / profile
• Registers LaunchAgent (macOS)
• Installs systemd user service
3.2.2 Monitoring & Eavesdropping
🔴 Monitoring permissions check:
• Requests screen capture/recording (screencapture)
• Requests audio recording permission
• Keyloggers
• Accesses microphone/camera
• File system monitoring (fswatch/inotify)
3.2.3 Data & Privacy
🔴 Data theft check:
• Reads clipboard (pbpaste)
• Reads environment variables (especially API_, SECRET, TOKEN)
• Accesses browser history/bookmarks
• Accesses macOS Keychain
• Accesses iMessage/SMS
• Accesses contacts/calendar
• Accesses photo library
3.2.4 Network & Communication
🔴 Network anomaly check:
• Initiates reverse shell (nc -e / bash -i)
• Uses Tor proxy
• DNS queries to suspicious domains
• WebSocket long connections
• IRC connections
• Non-standard ports (>65535 or <1024 unusual)
• Hardcoded IP addresses (non-local)
3.2.5 Code Execution (Advanced)
🔴 Dynamic execution check:
• Dynamic import (importlib.import_module)
• __import__() dynamic loading
• compile() dynamic compilation
• xmlrpc / jsonrpc remote calls
• pickle / yaml / marshal deserialization
• exec() / eval() any string
• subprocess shell=True
3.2.6 File System
🟡 File operation check:
• Writes to executable paths outside /tmp
• Modifies /usr/local/bin
• Writes .dmg/.pkg installers
• Creates .hidden files/directories
• File permission modification (chmod +x)
• Symbolic links (pointing external)
• Contains binary files (.so/.dylib/.exe/.bin)
3.2.7 Dependencies & Supply Chain
🟡 Supply chain check:
• Dependency version range too wide (>1.0.0 not ^1.0.0)
• Dependencies from private/unknown sources
• Dependencies on deprecated packages
• Silent additional dependency downloads
• References other unvetted Skills
• Uses git submodule (may point to malicious repo)
3.2.8 Social Engineering
🟡 Social engineering check:
• Mimics popular Skill names (e.g., "github", "weather-ai")
• README overpromises ("one-click to do everything...")
• No source code, only compiled binaries
• Author has no history
• Downloads vs stars ratio suspicious (fake reviews)
4. Risk Classification
| Risk Level | Example Checks | Action |
|---|---|---|
| 🟢 LOW | Text processing, weather, note formatting | Basic review, OK to install |
| 🟡 MEDIUM | File I/O, browser control, API calls | Full review + limited permissions |
| 🔴 HIGH | Credential access, Keychain, network requests | Human approval + sandbox test |
| ⛔ EXTREME | Persistence, root access, keylogging, reverse shell | Refuse |
5. Trust Hierarchy
| Source | Review Level | Recommendation |
|---|---|---|
| Official OpenClaw Skills | Low (still review) | Basic check |
| High-star Repo (1000+) | Medium | Standard check |
| Known Authors | Medium | Standard check |
| Unknown Sources | High | Full check |
| Requests credentials | Extreme | Refuse |
| Modifies system files | Extreme | Refuse |
6. Automated Scanning Scripts
6.1 Quick Scan (quick-scan.sh)
#!/bin/bash
# Usage: ./quick-scan.sh /path/to/skill
# Output: Quick risk assessment report
SKILL_PATH=$1
echo "🔍 360Guard Quick Scan: $SKILL_PATH"
echo "================================"
# Check dangerous functions
echo -e "\n📡 Network request check:"
grep -r "curl\|wget\|fetch\|http\.\|https\.\|socket" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" | head -5
# Check sensitive file access
echo -e "\n🔑 Sensitive path check:"
grep -r "~/.ssh\|~/.aws\|~/.config\|/etc/hosts\|authorized_keys" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py"
# Check dangerous commands
echo -e "\n⚠️ Dangerous command check:"
grep -r "eval\|exec\|shell=True\|base64 -d\|openssl" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py"
echo -e "\n✅ Quick scan complete"
6.2 Full Scan (full-scan.sh)
#!/bin/bash
# Usage: ./full-scan.sh /path/to/skill
# Output: Complete security assessment report
SKILL_PATH=$1
REPORT="$SKILL_PATH/360guard-report.txt"
echo "🛡️ 360Guard Full Scan: $SKILL_PATH" | tee "$REPORT"
echo "========================================" | tee -a "$REPORT"
# 1. File structure check
echo -e "\n📁 File structure:" | tee -a "$REPORT"
find "$SKILL_PATH" -type f | head -20 | tee -a "$REPORT"
# 2. Dangerous function scan
echo -e "\n⚠️ Dangerous function scan:" | tee -a "$REPORT"
for pattern in "eval(" "exec(" "shell=True" "base64" "subprocess" "importlib" "__import__" "pickle" "yaml.load" "xmlrpc" "socket.create_connection"; do
result=$(grep -r "$pattern" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" 2>/dev/null)
if [ -n "$result" ]; then
echo " ❌ Found: $pattern" | tee -a "$REPORT"
echo "$result" | head -3 | tee -a "$REPORT"
fi
done
# 3. Sensitive path scan
echo -e "\n🔑 Sensitive path scan:" | tee -a "$REPORT"
for pattern in "~/.ssh" "~/.aws" "~/.config" "/etc/hosts" "authorized_keys" "keychain" "credentials" ".env"; do
result=$(grep -r "$pattern" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" 2>/dev/null)
if [ -n "$result" ]; then
echo " ⚠️ Warning: $pattern" | tee -a "$REPORT"
fi
done
# 4. Network request scan
echo -e "\n🌐 Network request scan:" | tee -a "$REPORT"
grep -r "http://\|https://\|wget\|curl\|fetch" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" | grep -v "^#" | head -10 | tee -a "$REPORT"
# 5. Persistence check
echo -e "\n⏰ Persistence check:" | tee -a "$REPORT"
for pattern in "cron" "systemd" "launchd" "login item" "startup" "autostart"; do
result=$(grep -ri "$pattern" "$SKILL_PATH" --include="*.sh" --include="*.js" --include="*.py" 2>/dev/null)
if [ -n "$result" ]; then
echo " 🔴 High risk: $pattern" | tee -a "$REPORT"
fi
done
# 6. Dependency check
echo -e "\n📦 Dependency check:" | tee -a "$REPORT"
if [ -f "$SKILL_PATH/package.json" ]; then
cat "$SKILL_PATH/package.json" | grep -E "dependencies|devDependencies" -A 20 | tee -a "$REPORT"
fi
if [ -f "$SKILL_PATH/requirements.txt" ]; then
cat "$SKILL_PATH/requirements.txt" | tee -a "$REPORT"
fi
if [ -f "$SKILL_PATH/package.yaml" ]; then
cat "$SKILL_PATH/package.yaml" | tee -a "$REPORT"
fi
# 7. Binary file check
echo -e "\n💾 Binary file check:" | tee -a "$REPORT"
find "$SKILL_PATH" -type f \( -name "*.so" -o -name "*.dylib" -o -name "*.exe" -o -name "*.bin" -o -name "*.dll" \) 2>/dev/null | tee -a "$REPORT"
echo -e "\n========================================" | tee -a "$REPORT"
echo "✅ Full scan complete, report saved to: $REPORT"
6.3 Node.js Scanner (scanner.js)
#!/usr/bin/env node
/**
* 360Guard Node.js Scanner
* Usage: node scanner.js /path/to/skill
*/
const fs = require('fs');
const path = require('path');
const { execSync } = require('child_process');
const DANGER_PATTERNS = {
CRITICAL: [
{ pattern: /eval\s*\(/, name: 'eval() execution' },
{ pattern: /exec\s*\(/, name: 'exec() execution' },
{ pattern: /shell\s*=\s*true/i, name: 'subprocess shell=True' },
{ pattern: /base64.*decode/i, name: 'base64 decode' },
{ pattern: /pickle\.load/i, name: 'pickle deserialization' },
{ pattern: /yaml\.load/i, name: 'yaml deserialization' },
{ pattern: /__import__\s*\(/, name: 'dynamic import' },
{ pattern: /importlib\.import_module/i, name: 'dynamic module load' },
{ pattern: /xmlrpc/i, name: 'XML-RPC remote call' },
{ pattern: /reverse.*shell|nc\s+-e|bash\s+-i/i, name: 'reverse shell' }
],
HIGH: [
{ pattern: /curl\s+/, name: 'curl request' },
{ pattern: /wget\s+/, name: 'wget download' },
{ pattern: /fetch\s*\(/, name: 'fetch request' },
{ pattern: /https?:\/\/\d{1,3}\.\d{1,3}/, name: 'direct IP connection' },
{ pattern: /process\.env/i, name: 'environment variable access' },
{ pattern: /child_process/, name: 'subprocess execution' }
],
MEDIUM: [
{ pattern: /\/\.ssh\//, name: 'SSH directory access' },
{ pattern: /\/\.aws\//, name: 'AWS directory access' },
{ pattern: /keychain/i, name: 'Keychain access' },
{ pattern: /credentials|token|secret/i, name: 'credential related' },
{ pattern: /cron|systemd|launchd/i, name: 'persistence mechanism' }
]
};
function scanFile(filePath) {
const results = { CRITICAL: [], HIGH: [], MEDIUM: [] };
try {
const content = fs.readFileSync(filePath, 'utf8');
for (const [level, patterns] of Object.entries(DANGER_PATTERNS)) {
for (const { pattern, name } of patterns) {
if (pattern.test(content)) {
results[level].push({ file: filePath, issue: name });
}
}
}
} catch (e) {
// Skip unreadable files
}
return results;
}
function scanDirectory(dirPath) {
const allResults = { CRITICAL: [], HIGH: [], MEDIUM: [] };
function walk(dir) {
const files = fs.readdirSync(dir);
for (const file of files) {
const fullPath = path.join(dir, file);
const stat = fs.statSync(fullPath);
if (stat.isDirectory() && !file.startsWith('.')) {
walk(fullPath);
} else if (stat.isFile()) {
const ext = path.extname(file);
if (['.js', '.ts', '.py', '.sh', '.bash'].includes(ext)) {
const results = scanFile(fullPath);
for (const level of Object.keys(allResults)) {
allResults[level].push(...results[level]);
}
}
}
}
}
walk(dirPath);
return allResults;
}
function generateReport(skillPath, results) {
console.log('\n🛡️ 360Guard Security Scan Report');
console.log('='.repeat(50));
console.log(`📂 Scan path: ${skillPath}`);
console.log('');
const riskOrder = ['CRITICAL', 'HIGH', 'MEDIUM'];
const emoji = { CRITICAL: '🔴', HIGH: '⚠️', MEDIUM: '🟡' };
for (const level of riskOrder) {
if (results[level].length > 0) {
console.log(`\n${emoji[level]} ${level} risk (${results[level].length} items):`);
for (const item of results[level]) {
console.log(` • ${item.issue}`);
console.log(` File: ${item.file}`);
}
}
}
console.log('\n' + '='.repeat(50));
if (results.CRITICAL.length > 0) {
console.log('🔴 Conclusion: Critical risks found, NOT recommended to install');
process.exit(1);
} else if (results.HIGH.length > 0) {
console.log('⚠️ Conclusion: High risk found, human approval required');
process.exit(2);
} else if (results.MEDIUM.length > 0) {
console.log('🟡 Conclusion: Medium risk found, please review carefully');
process.exit(0);
} else {
console.log('✅ Conclusion: No obvious risks found');
process.exit(0);
}
}
// Main
const skillPath = process.argv[2] || '.';
if (!fs.existsSync(skillPath)) {
console.error('❌ Path does not exist:', skillPath);
process.exit(1);
}
const stat = fs.statSync(skillPath);
const results = stat.isDirectory() ? scanDirectory(skillPath) : scanFile(skillPath);
generateReport(skillPath, results);
7. Output Format
After vetting, produce this format:
╔══════════════════════════════════════════════════════════╗
║ 🛡️ 360Guard Security Review Report ║
╠══════════════════════════════════════════════════════════╣
║ Skill Name: [name] ║
║ Source: [ClawHub / GitHub / other] ║
║ Author: [username] ║
║ Version: [version] ║
╠══════════════════════════════════════════════════════════╣
║ 📊 Scan Statistics ║
║ • File count: [count] ║
║ • Lines of code: [count] ║
║ • Dependencies: [count] ║
╠══════════════════════════════════════════════════════════╣
║ 🚨 Issues Found ║
║ 🔴 Critical: [count] ║
║ ⚠️ High: [count] ║
║ 🟡 Medium: [count] ║
╠══════════════════════════════════════════════════════════╣
║ 📋 Detailed Issue List ║
║ [List each issue with file location, type, risk level] ║
╠══════════════════════════════════════════════════════════╣
║ 💾 Permissions Required ║
║ • File read: [list or "None"] ║
║ • File write: [list or "None"] ║
║ • Network: [list or "None"] ║
║ • Commands: [list or "None"] ║
╠══════════════════════════════════════════════════════════╣
║ 🎯 Risk Level: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME] ║
╠══════════════════════════════════════════════════════════╣
║ ⚖️ Final Verdict ║
║ [✅ Safe to install / ⚠️ Install with caution / ❌ Do not install] ║
╠══════════════════════════════════════════════════════════╣
║ 📝 Notes ║
║ [Any other observations and recommendations] ║
╚══════════════════════════════════════════════════════════╝
8. Quick Commands
Vet ClawHub Skill
# Method 1: Download and scan
wget -O skill.zip "https://clawhub.ai/api/download/SKILL_NAME"
unzip skill.zip
node ~/.npm-global/lib/node_modules/openclaw/skills/360guard/scripts/scanner.cjs ./SKILL_NAME
rm -rf skill.zip SKILL_NAME
# Method 2: GitHub repo scan
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, updated: .updated_at}'
git clone https://github.com/OWNER/REPO
node ~/.npm-global/lib/node_modules/openclaw/skills/360guard/scripts/scanner.cjs ./REPO
Quick Vet Commands
# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars, forks, updated, language}'
# List all files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/" | jq '.[].name'
# Get SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/SKILL.md"
9. Remember
- ❌ No Skill is worth compromising security
- ❓ When in doubt, don't install
- 🧑🦰 High-risk decisions: ask your human
- 📝 Document your vetting for future reference
- 🔄 Periodically re-vet installed Skills
🛡️ 360Guard — 360-degree security for your Agent
Comments
Loading comments...