ClawHub

Security Scan

v1.0.0

Security review workflow for OpenClaw skills and other small code folders. Use when auditing a skill before publishing or installing it, checking for dangero...

0· 428·8 current·9 all-time
by@shadowloong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included resources: a lightweight static scanning workflow and a small shell script that searches a target directory for dangerous calls, hardcoded-secret patterns, and world-writable files. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
SKILL.md limits the agent to running the bundled script against a user-specified target and to manual triage of results. The script only reads files under the provided target path and emits findings; it does not contact external endpoints, write outside the target, or reference environment variables beyond the target parameter.
Install Mechanism
No install spec — instruction-only with one small included shell script. Nothing is downloaded or placed into system locations. This is low-risk and proportionate for the stated purpose.
Credentials
The skill declares no required environment variables or credentials. The script contains regexes to detect some common API key formats (e.g., Google API key prefix, OpenAI sk-), which is expected behavior for a secrets scanner. No unrelated secrets or broad credential access are requested.
Persistence & Privilege
always:false and no code that modifies other skills or global agent settings. The skill can be invoked by the agent (normal default); it does not request permanent presence or elevated privileges.
Assessment
This appears to be a legitimate, lightweight static scanner. Before running it, inspect scripts/scan.sh yourself (it's short and included) and run the scan on a copy or controlled checkout of the target if the target contains sensitive data. Understand this tool is intentionally limited: it will produce false positives and false negatives and does not perform dynamic or network analysis. If the scan finds potential secrets or dangerous calls, manually inspect the surrounding code, rotate any exposed credentials, and escalate to sandboxed/dynamic analysis or human review for high-risk findings.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711tdrs4svk481b38b748wxs82qmbm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments