ClawHub

Claw-lint

v1.0.4

Security scanner for OpenClaw skills. Detects malware and backdoors before execution, scores risk levels, and monitors file integrity through static code analysis.

0· 966·4 current·4 all-time
by@parthghumatkar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (security linter for OpenClaw skills) match the included behavior: the bundled shell script statically scans ~/.openclaw/workspace/skills and ~/.openclaw/skills, computes hashes, and emits text/JSON. Minor metadata inconsistency: registry 'Required binaries' is empty but the SKILL.md and script explicitly require a set of standard Unix tools (bash, find, grep, awk, sha256sum, stat, base64, tr, readlink, mktemp, etc.). That is not a functional red flag but should be corrected for accuracy.
Instruction Scope
The SKILL.md and bin/claw-lint.sh confine actions to static analysis of skill directories and local files (no network calls, no external endpoints). The script searches for patterns like hardcoded keys, remote-exec idioms, and persistence indicators and may compute SHA256 hashes when requested. It does not attempt to read system-wide configuration beyond scanning the listed skill directories; it detects but does not follow symlinks by default. Behavior stays within the described purpose.
Install Mechanism
No install spec — the skill is instruction-only with a bundled shell script. No remote downloads or extract/install steps are present in the package. The included code is self-contained and executed locally.
Credentials
The skill declares no required environment variables or credentials, and the code does not attempt to access external secrets stores. It does look for patterns that indicate hardcoded secrets inside scanned skills (e.g., AWS keys, private key headers) and flags them, which is appropriate for its scanning role.
Persistence & Privilege
The skill does not request permanent 'always' inclusion or modify other skills' configs. It can be invoked by the agent (normal), but has no elevated persistence or privilege demands.
Assessment
This skill appears to be what it says: a local static linter for OpenClaw skills. Before installing or running it, consider: 1) Ensure you have the required standard Unix tools (bash, find, grep, awk, sha256sum, stat, base64, tr, readlink, mktemp); the registry metadata omits these but the script will fail without them. 2) Review the bundled bin/claw-lint.sh (already included) if you have extra caution — it runs locally and does not make network requests, but it will read files under your ~/.openclaw skill directories and may flag sensitive material found there. 3) Run it on a test environment first (or with --skill <name>) to inspect outputs and false positives before integrating in CI. 4) If you require guarantees about symlink handling or whether targets outside the skill directories are scanned, verify behavior in your environment (the script detects symlinks but does not explicitly follow them when enumerating files). Overall this is coherent for a pre-execution scanner; no obvious malicious behavior was found.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mc7en4ncmpv87eaxwek705812gbr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments