OpenClaw Security Suite
Comprehensive security suite for OpenClaw skills. Includes static scanning (AST + keywords) and AI-powered semantic behavior review to detect malicious code.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 150 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md align with the described purpose: AST scanning, keyword scanning, an LLM-based review, and some runtime guards. Small inconsistencies: SKILL.md lists 'node' as a required binary while the registry metadata earlier said none; README and changelog claim a VM sandbox feature but the runtime code does not consistently use the vm runner (vm_runner.ts exists but is not invoked by the scanner). The package.json declares @babel parser/traverse dependencies which are expected for AST scanning.
Instruction Scope
The skill accepts a path and will read all .ts/.js files in that path — so it can read arbitrary files the agent user points it at (this is expected for a scanner but raises data-exposure risk if used on sensitive dirs). The AI review embeds the full file contents into a prompt and calls ctx.llm.generate, which will send the raw code (and any secrets inside it) to the LLM provider; that is a clear data-exfiltration risk if the LLM is external. The code uses node:vm.runInContext in vm_runner.ts (a file present), and the README touts sandboxing, but node:vm is not a secure sandbox for untrusted code and the project explicitly removed vm2 — that change reduces rather than increases guarantees. Also, ai_review simply forwards raw LLM output without JSON validation/parsing, which is brittle and could be manipulated.
Install Mechanism
There is no install spec (no remote downloads, no install script), which reduces supply-chain risk. However package.json declares npm dependencies (@babel/parser and @babel/traverse) that must be installed to run the scanner; those are from public npm and are expected for AST parsing. No obscure URLs or archive downloads are used.
Credentials
The skill does not request environment variables, credentials, or config paths. It flags process.env and sensitive file paths in its patterns (appropriate for scanning), but it does not itself require secrets. This is proportionate to its stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. disable-model-invocation is false (normal), which means the agent can invoke it autonomously — that is the expected behavior for a skill of this type but note that autonomous invocation plus the data-exfiltration mechanism (sending code to an LLM) increases blast radius.
What to consider before installing
This package appears to implement what it claims (static scanning + AI review) but there are several things to consider before installing:
- Provenance: the source/homepage is unknown. Prefer packages with a known author or a public repository you can inspect.
- Node requirement mismatch: SKILL.md expects the 'node' binary; ensure your runtime provides Node and that dependencies (@babel packages) are installed.
- Data exposure: the 'review' action inserts full file contents into an LLM prompt (ctx.llm.generate). If your agent's LLM provider is external, any secrets or sensitive code will be sent to that provider. Only run 'review' on non-sensitive code or ensure the LLM provider and contract are acceptable.
- Sandboxing limits: vm_runner.ts uses Node's node:vm; that is NOT a hardened sandbox for running untrusted code. The README notes they replaced vm2 with node:vm—that reduces guarantees against sandbox escapes. Do not use this skill to execute untrusted code expecting strong isolation.
- Path scope: scanSkill reads all .ts/.js files in the provided directory. Don't point it at system or secrets directories (e.g., /, home, or /etc).
- Auditing: before granting access, inspect the package source yourself (or in an isolated environment), verify package.json dependencies, and consider running scans in an isolated VM or container. Ask the author for a repository or signed releases if you need higher assurance.
What would change my assessment to 'benign': an authoritative source/repo with history; clearer SKILL metadata (node requirement); removal or explicit limitation of sending full file contents to external LLMs (or an opt-in with clear warning); and a safer, documented sandboxing strategy (or avoiding execution entirely).Like a lobster shell, security has layers — review code before you run it.
Current versionv0.2.3
Download zipcode-reviewlatestscannersecurity
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
OpenClaw Security Suite
A comprehensive security protection layer for OpenClaw extensions, providing both static analysis and AI-assisted behavioral review.
Features
This suite bundles two core security capabilities:
1. Static Security Scan (action: "scan")
Analyzes a full skill directory for deterministic threats:
- Blocked Imports: e.g.,
child_process,cluster - Dangerous Functions: e.g.,
exec(),spawn() - Known Bad Keywords: e.g.,
eval(,__proto__,rm -rf - Sensitive File Access: e.g.,
/etc/passwd,/.env - Suspicious Regex Patterns: e.g.,
curl ... | bash
2. AI Code Review (action: "review")
Uses the active LLM context (ctx.llm) to semantically analyze a specific file for hidden threats:
- Data exfiltration
- Credential leaks
- Obfuscated shell execution
- System modification
Usage
You must specify an action and a path.
Example 1: Static Scan
{
"action": "scan",
"path": "/path/to/skill/directory"
}
Example 2: AI Review
{
"action": "review",
"path": "/path/to/skill/index.ts"
}
Output
Scan Output:
{
"safe": false,
"results": [
{
"file": "index.ts",
"issues": [{ "type": "blocked_module", "module": "child_process" }]
}
]
}
Review Output:
{
"risk_level": "high",
"reason": "Code reads AWS credentials from environment and posts them to an external IP."
}
Files
15 totalSelect a file
Select a file to preview.
Comments
Loading comments…