ClawHub

Skill Scanner

Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
20 · 9.7k · 96 current installs · 98 all-time installs
by@bvinci1-design
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: this is a local static scanner that searches files for malicious patterns and offers a Streamlit UI. It does not request credentials or binaries unrelated to its purpose. However the skill's origin is unknown (no homepage) and README suggests cloning from a GitHub repo; validate the upstream source before installing.
Instruction Scope
Runtime instructions and code limit activity to reading the target skill folder (or uploaded files) and producing a report; the scanner performs regex-based pattern matching and the Streamlit UI writes uploaded files to a temporary directory for scanning. It does not appear to execute scanned code or access system credential files directly. Still, the SKILL.md/README emphasize scanning for access to credential paths (they detect strings like '~/.ssh' in code) — ensure you do not point the scanner at real secret stores, and avoid uploading sensitive files to the web UI.
Install Mechanism
No install spec provided (instruction-only skill with included Python files). That is low-risk from an install perspective — nothing is downloaded or extracted by an automated installer. The Streamlit UI is optional and requires you to pip-install streamlit yourself.
Credentials
The skill requests no environment variables or credentials. The scanner flags patterns that would indicate credential/file access in scanned code, but the scanner itself does not request or require secrets.
Persistence & Privilege
always=false and the skill does not request persistent system changes. The code writes uploaded content to a temporary directory only and does not modify other skills or system configuration according to the reviewed files.
What to consider before installing
This package appears to implement a local static scanner and a Streamlit UI that scans only the files you provide. Before installing or running it, do the following: 1) Verify the source/author — the registry metadata shows no homepage and the origin is unknown; prefer code from a trusted repo. 2) Inspect the full skill_scanner.py and streamlit_ui.py (the provided copy was truncated in places) to confirm there is no hidden behavior (network calls, code execution, auto-update). 3) Do not point the scanner at real secret stores or upload sensitive files to the web UI — it only looks for strings/patterns in files, but uploading sensitive data to a web UI increases exposure. 4) Run it in a sandbox or VM first and test on harmless sample skills to validate false-positive/negative behavior. 5) Note minor implementation issues (the UI references a format_markdown method and truncated code made it impossible to confirm all functions) — fix or review those before relying on automated CI gating. If you want higher assurance, ask the publisher for a canonical repo URL, full source, and a reproducible build or have a security-savvy reviewer audit the complete code.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.2
Download zip
latestvk978s9d7k6hvnw654jte7k23318057wk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill Scanner

Security audit tool for Clawdbot/MCP skills - scans for malware, spyware, crypto-mining, and malicious patterns.

Capabilities

  • Scan skill folders for security threats
  • Detect data exfiltration patterns
  • Identify system modification attempts
  • Catch crypto-mining indicators
  • Flag arbitrary code execution risks
  • Find backdoors and obfuscation techniques
  • Output reports in Markdown or JSON format
  • Provide Web UI via Streamlit

Usage

Command Line

python skill_scanner.py /path/to/skill-folder

Within Clawdbot

"Scan the [skill-name] skill for security issues using skill-scanner"
"Use skill-scanner to check the youtube-watcher skill"
"Run a security audit on the remotion skill"

Web UI

pip install streamlit
streamlit run streamlit_ui.py

Requirements

  • Python 3.7+
  • No additional dependencies (uses Python standard library)
  • Streamlit (optional, for Web UI)

Entry Point

  • CLI: skill_scanner.py
  • Web UI: streamlit_ui.py

Tags

#security #malware #spyware #crypto-mining #scanner #audit #code-analysis #mcp #clawdbot #agent-skills #safety #threat-detection #vulnerability

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…