ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill

v1.1.0

Security check for OpenClaw skills. Scan any ClawHub skill for malware, prompt injection, data theft, wallet stealing, and dangerous permissions BEFORE insta...

0· 198·1 current·1 all-time
by@folvindine

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for folvindine/agora-sentinel.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill" (folvindine/agora-sentinel) from ClawHub.
Skill page: https://clawhub.ai/folvindine/agora-sentinel
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agora-sentinel

ClawHub CLI

Package manager switcher

npx clawhub@latest install agora-sentinel
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match what the scripts do: query a remote trust database at checksafe.dev for a skill slug and present a badge/report. However, the SKILL.md claims this will 'automatically' pre-check before any clawhub install; there is no integration or hook provided to implement automatic pre-install checks (the repo only includes standalone shell scripts). The automatic pre-install behavior is therefore marketing rather than implemented functionality.
!
Instruction Scope
The runtime instructions and scripts call HTTPS endpoints at checksafe.dev with skill slugs and, in batch/scan mode, enumerate the local skills directory and send all discovered slugs to the remote API. The SKILL.md asserts 'Does not send any user data to Sentinel — only queries by skill slug', but scanning installed skills will in practice transmit the user's installed-skill inventory (slugs), which is user-specific information. There are no instructions that read or transmit local files or secrets, but the inventory leak is a privacy/leakage vector the docs understate.
Install Mechanism
No install spec and the shipped files are simple, readable shell scripts and markdown. Nothing is downloaded or executed from untrusted URLs by the scripts themselves (they only call checksafe.dev APIs). There is no archive download/extract behavior in the skill itself.
Credentials
The skill requests no environment variables or credentials, which aligns with its purpose. However, transmitting installed skill slugs to a third-party service is a form of data exfiltration (metadata) even if no secrets are sent; the SKILL.md's blanket statement that 'Does not send any user data to Sentinel' is inaccurate in the context of installed-skill scans.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configuration. It can be invoked autonomously by an agent (default behavior) but that is normal for skills and not by itself a red flag here.
What to consider before installing
This skill appears to be a lightweight client for the external service checksafe.dev (it queries badge.json and report endpoints). Before installing, consider: - Privacy: scan_installed.sh collects local skill slugs and sends them to checksafe.dev; if you are uncomfortable exposing your installed-skill inventory, do not run the batch/scan scripts or review them locally first. - Trust the external service: the tool relies entirely on checksafe.dev. Verify the domain, TLS, and the service's privacy policy if you will send any inventory. If you need to avoid network calls, use the scripts only with explicit, manual slug names or inspect the API responses from a browser first. - Automatic pre-install: the README/SKILL.md implies automatic pre-install hooks; those are not implemented. If you expect an agent to automatically intercept 'clawhub install', additional integration would be required. - Confirm behavior: the code is readable and not obfuscated, so you can safely inspect scripts before running. If you want stronger guarantees, ask the author for an explanation of what metadata is logged server-side and for an option to run checks locally or provide an allowlist/offline dataset. Given these mismatches (especially the inaccurate claim about not sending user data), treat the skill as useful but with privacy implications — review and run the scripts manually and confirm the external service's trustworthiness before enabling automatic or broad scans.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
latestvk976ng71k1y00kcermzamyjgyx83dnqb
198downloads
0stars
2versions
Updated 20h ago
v1.1.0
MIT-0
@folvindine
latest
Download

When to Use This Skill

ALWAYS check a skill's safety before installing it. Whenever the user asks to install a ClawHub skill, or you are about to run clawhub install, FIRST check the skill's trust score using this skill.

Before ANY skill install, run the check script:

bash scripts/check_skill.sh <skill-slug>

If the result shows:

  • TRUSTED or CLEAN — Safe to proceed. Tell the user the score.
  • CAUTION — Warn the user about specific risks. Proceed only if they confirm.
  • WARNING — Strongly advise against installing. Show the findings.
  • DANGER — Do NOT install. Show the user exactly what was detected.

Before installing any skill, always check it first. This is the single most important thing this skill does — automatic pre-install security screening.

Checking a Specific Skill

When the user asks about a skill's safety, reputation, or trustworthiness — including "is this skill safe", "is this legit", "should I install this", "can I trust this", or any concern about security:

bash scripts/check_skill.sh <skill-slug>

Present the results clearly:

  • Trust Score (0-100) and Badge (TRUSTED/CLEAN/CAUTION/WARNING/DANGER)
  • Tier level (0-4, where 4 is most trusted)
  • Any flags: malware patterns, excessive permissions, prompt injection risk
  • Permission breakdown: what the skill requests access to
  • How old the skill is and how many downloads it has

If the user just gives a skill name without the exact slug, try the name as-is (lowercase, hyphenated). Example: "crypto helper" -> "crypto-helper"

For a detailed security audit with full findings:

curl -s https://checksafe.dev/api/v1/skills/<skill-slug>/report

Scanning All Installed Skills

When the user asks to audit their installed skills, check their security, review what they have installed, check all installed skills, or says "review my skills", "security audit", or "scan my setup":

bash scripts/scan_installed.sh

This scans every skill in the workspace and reports any with WARNING or DANGER ratings. Present results as a summary table showing each skill's badge and score, then detail any concerning findings.

Quick Check Without Scripts

If scripts are unavailable, you can check directly:

curl -s https://checksafe.dev/api/v1/skills/<skill-slug>/badge.json

Response format:

{
  "slug": "skill-name",
  "label": "sentinel",
  "message": "trusted",
  "color": "#4caf50",
  "trust_score": 94,
  "tier": 4
}

For a full report with detailed findings:

curl -s https://checksafe.dev/api/v1/skills/<skill-slug>/report

What Gets Scanned

Agora Sentinel continuously monitors every skill on ClawHub (30,000+) for:

  • Malware patterns: wallet theft, credential stealing, crypto stealing code, hidden downloads
  • Prompt injection: instructions that override system prompts or manipulate the LLM
  • Data exfiltration: code that sends local files, environment variables, or secrets to external servers
  • Excessive permissions: skills requesting shell+network access when they shouldn't need it
  • Dangerous permission combos: file_write+network enables data theft, shell+network enables RCE
  • Obfuscated code: base64 encoded commands, hidden hex payloads, eval of dynamic content
  • Hidden instructions: zero-width characters, HTML comment tricks, fake system prompts
  • ClickFix social engineering: fake prerequisites telling users to run malicious terminal commands
  • Two-stage loaders: download-and-execute patterns, base64 decode pipelines, fetch+eval
  • Credential theft: SSH keys, browser cookies, crypto wallets, OpenClaw env files, keychain access
  • Infrastructure IOCs: known malicious IPs and domains from the ClawHavoc campaign
  • Typosquatting: skill names mimicking popular legitimate skills (Levenshtein distance)
  • Campaign detection: coordinated bulk uploads from suspicious authors

All scans run automatically. No API key needed. Results update continuously. Dashboard: https://checksafe.dev/dashboard/

Trust Tiers

TierNameMeaning
4TrustedScore 90+, 30+ days old, zero findings ever
3CertifiedScore 75+, no critical findings
2CleanScore 55+, passed all scans
1ScannedScore 30+, some concerns
0DangerousScore below 30 OR malicious patterns detected

Batch Checking Multiple Skills

To check several skills at once:

bash scripts/check_batch.sh skill-one skill-two skill-three

What This Skill Does NOT Do

  • Does not execute or sandbox skills — only checks Sentinel's pre-computed trust data
  • Does not block installs — warns and advises, user has final say
  • Does not require any API keys or accounts
  • Does not send any user data to Sentinel — only queries by skill slug
  • Does not modify other skills or system files

Comments

Loading comments...