Skill Auditor
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
This skill appears coherent for a security scanner. Before installing, verify the source/publisher, run setup manually, decline auto-scan or LLM/VirusTotal features unless you need them, and review scan-url.js if you are concerned about eval-based pattern loading. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious skill being scanned could potentially influence an LLM-based judgment if the analyzer does not isolate untrusted text well.
Optional LLM analysis may process untrusted skill descriptions or findings and then influence severity. That is purpose-aligned, but users should not treat the model output as immune to prompt-injection attempts from scanned content.
Asks LLM: "Does this behavior match the skill's description?" ... Adjusts severity based on semantic understanding
Use LLM mode as a second opinion only, and keep static findings visible even when semantic analysis downgrades them.
Users have less registry-level information for verifying where the skill came from.
The registry metadata does not provide a clear source or homepage. This is a provenance gap for a security-sensitive tool, though not evidence of malicious behavior by itself.
Source: unknown; Homepage: none
Verify the publisher and repository before relying on the scanner for security decisions.
If the evaluated pattern source were tampered with, it could run code in the user's environment.
Dynamic eval can execute code if its input is not strictly controlled. The snippet appears related to scanner pattern loading, but eval is not inherently required for the stated purpose.
eval(`PATTERNS = [${patternsMatch[1]}];`);Review scan-url.js before using remote URL scanning, and prefer a non-eval parser for pattern loading.
Enabling VirusTotal mode gives the scanner access to your VirusTotal account quota and sends binary hashes/lookup data to VirusTotal.
The skill can use a VirusTotal API key from the environment. This is disclosed as optional binary scanning, but it is still provider credential use.
const apiKey = process.env.VIRUSTOTAL_API_KEY;
Set VIRUSTOTAL_API_KEY only when you intend to use VirusTotal scanning, and use a limited-purpose key if possible.
Skill descriptions or finding summaries could be shared with the configured LLM gateway.
The optional LLM semantic analysis depends on a gateway/model path and may transmit scan context outside the local scanner process.
Requires OpenClaw gateway running ... Uses AI to understand if detected behaviors match stated intent
Enable LLM mode only with a gateway/provider you trust, especially when scanning private or proprietary skills.
If enabled, the scanner may run automatically when new skills are installed.
The setup wizard can create persistent preferences and an auto-scan behavior. The artifacts describe it as wizard-configured and optional, not hidden.
Configure auto-scan on skill installation ... Save preferences to `~/.openclaw/skill-auditor.json`
Enable auto-scan only if you want that persistent behavior, and check ~/.openclaw/skill-auditor.json if you need to disable it.