ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentShield Scanner

v0.5.1

Scan AI agent skills, MCP servers, and plugins for security vulnerabilities. Use when: user asks to check a skill/plugin for safety, audit security, scan for...

0· 314· 2 versions· 0 current· 0 all-time· Updated 15h ago· MIT-0
byElliot Liu@elliotllliu

Security Scans

VirusTotalBenignClawScanSuspiciousStatic analysisBenign

Install

openclaw skills install agentshield-scanner

AgentShield — Security Scanner

Scan any directory for security issues in AI agent skills, MCP servers, and plugins.

Usage

# Basic scan
npx @elliotllliu/agent-shield scan ./path/to/skill/

# Pre-install check (GitHub URL, npm package, or local path)
npx @elliotllliu/agent-shield install-check https://github.com/user/repo

# JSON output for programmatic use
npx @elliotllliu/agent-shield scan ./path/to/skill/ --json

# Fail if score is below threshold
npx @elliotllliu/agent-shield scan ./path/to/skill/ --fail-under 70

# Scan .difypkg plugin archives
npx @elliotllliu/agent-shield scan ./plugin.difypkg

What It Detects (30 rules)

High Risk:

  • data-exfil — reads sensitive files + sends HTTP requests
  • backdoor — eval(), exec(), dynamic code execution
  • reverse-shell — outbound socket to shell
  • crypto-mining — mining pool connections
  • credential-hardcode — hardcoded API keys/tokens
  • obfuscation — base64+eval, hex strings
  • prompt-injection — 55+ patterns, 12 categories, 8 languages
  • tool-shadowing — tool name/description manipulation
  • attack-chain — multi-step kill chain (5 stages)
  • cross-file — cross-file data flow and code injection
  • ast-* — Python AST taint tracking (eval, pickle, SQL injection, SSTI)
  • multilang-injection — 8-language prompt injection
  • description-integrity — semantic mismatch between description and code
  • mcp-runtime — MCP server runtime security issues

Medium Risk:

  • env-leak — process.env exfiltration
  • network-ssrf — user-controlled URLs, SSRF
  • privilege — SKILL.md permission vs code mismatch
  • supply-chain — known CVEs in dependencies
  • sensitive-read — SSH keys, AWS creds access
  • phone-home — periodic beacon/heartbeat pattern
  • python-security — 35 Python-specific patterns

Low Risk:

  • excessive-perms — too many permissions declared
  • hidden-files — .env with secrets committed
  • typosquatting — suspicious npm package names

Interpreting Results

  • Score 90-100: Low risk ✅
  • Score 70-89: Moderate risk — review warnings
  • Score 40-69: High risk — investigate before using
  • Score 0-39: Critical risk — do not install

When to Use

  1. Before installing a third-party skill: npx @elliotllliu/agent-shield install-check <url>
  2. Auditing your own skills before publishing
  3. CI/CD pipeline gate: --fail-under 70
  4. Reviewing skills from untrusted sources

Version tags

agentvk97bekn1jm1zmz4q9bm15bwmsn82t13fauditvk97bekn1jm1zmz4q9bm15bwmsn82t13flatestvk97bekn1jm1zmz4q9bm15bwmsn82t13fmcpvk97bekn1jm1zmz4q9bm15bwmsn82t13fscannervk97bekn1jm1zmz4q9bm15bwmsn82t13fsecurityvk97bekn1jm1zmz4q9bm15bwmsn82t13f