ClawHub

Agent Skills Tools

v0.1.0

Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.

0· 1.3k·5 current·5 all-time
by@rongself
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the actual behavior: the included shell script scans a target skill directory for hardcoded keys, references to sensitive paths, network-call patterns, environment-variable usage, credentials files, and simple Git-history hints. None of the script's requirements (no env vars, no external installs) are inconsistent with an auditing tool.
Instruction Scope
SKILL.md instructs running the provided script against a target directory. The script only inspects files under the supplied path and (if present) the repository history via git -C; it does not read or exfiltrate user home files by itself. Note: checks are purely local and pattern-based (grep); they may produce false positives/negatives and rely on simple patterns like 'api_key' and strings such as 'curl' or '.ssh'.
Install Mechanism
No install spec — instruction-only with a bundled shell script. This is low-risk: nothing is downloaded or written to disk beyond the contained files.
Credentials
The skill requests no environment variables or credentials, which is appropriate for a static auditing tool. The script does not access environment variables beyond local git execution.
Persistence & Privilege
always is false; the skill does not request persistent presence or modify other skill configurations. Autonomous invocation is allowed by platform default but the skill itself has no persistence/privilege escalation behavior.
Assessment
This skill appears to do what it claims: a local, grep-based audit you run against a skill package. Before installing/using it: 1) review the script yourself (it's short and included); 2) run it against a copy of the package (don't point it at system root or sensitive directories unless you mean to); 3) expect heuristic results — it may miss obfuscated secrets or flag benign code; 4) the tool does not transmit data externally, but any agent invoking the tool could collect and send the report, so limit autonomous use if you don't trust the agent; 5) the publisher is unknown/no homepage — if you need stronger assurance, prefer tools from verified sources or request provenance/signing from the author. Additional information (a verifiable author, tests, or a signed release) would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dd05pfgypg797gn3w0c2g9n80r3jk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis

Comments