ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Security Auditor for OpenClaw

v1.1.3

Autonomously scans all installed OpenClaw skills for security risks. Detects dangerous behaviors like shell execution, file deletion, remote code download, d...

1· 19·0 current·0 all-time
by@theelephantcoder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and provided code (audit.js, monitor.js, dashboard.js, whitelist.js) are consistent with a static security auditor. Requested env (HOME) and node runtime are appropriate. However the skill declares and uses write:filesystem and exec:shell permissions (writes whitelist/reports and spawns node processes) which are more than the minimal 'read-only scan' one might expect from a purely static analyzer; those extras are arguably justified by features (dashboard, --fix, monitor, whitelist) but represent scope beyond simple read-only analysis.
!
Instruction Scope
Runtime instructions explicitly tell the agent to read every SKILL.md and script in multiple locations (workspace, user, bundled). That requires broad read access to user skill files (expected). The README and SKILL.md both claim 'static analysis only' and 'read-only — never modifies or deletes skill files', yet the tool has features that write to ~/.openclaw (reports, whitelist) and a --fix option to generate patched SKILL.md — this is a contradiction that should be clarified before granting write permissions.
Install Mechanism
No install spec, no external downloads, and the code is pure Node.js using only the standard library. No high-risk install mechanism detected.
Credentials
Only HOME is required which is reasonable. The skill requests write:filesystem, exec:shell, and network:localhost — these are explainable (writing reports/whitelist, launching local dashboard, spawning child node processes) but are broader than a minimal static scanner. No external secret credentials are requested.
Persistence & Privilege
always:false (good). The skill includes an optional monitor that can be run as a background service and provides instructions to add launchd/systemd entries; this requires explicit user action. The skill writes whitelist and report files under ~/.openclaw which is expected for its functionality but is persistent state the user should review.
Scan Findings in Context
[H1] expected: file-cleaner/scripts/run.js contains child_process exec usage (execSync) and deliberate shell invocations; the auditor must detect this pattern in other skills — finding is expected in the bundled sample skill and appropriate for an auditor to flag.
[H3] expected: file-cleaner includes rm -rf and fs.unlink usage (arbitrary file deletion) in sample skill; auditor should report this — presence in sample skill is expected.
[M3] expected: data-sync sample reads local files and POSTs them to a remote URL (read-then-send exfiltration pattern). This is intentionally included in samples and is appropriate for an auditor to flag.
[H1 (audit engine)] expected: audit.js, monitor.js, test.js use execFileSync/execSync to spawn node processes and open the browser. These exec usages are necessary for features (tests, monitor, dashboard auto-open) but mean the auditor itself requires exec:shell permission — this is legitimate but widens its privilege surface.
What to consider before installing
This skill appears to implement a legitimate static security auditor and includes convenience features (local dashboard, continuous monitor, whitelist, saved reports). Before installing or enabling it: 1) Review and accept that it will read all files under your skills directories and will write files under ~/.openclaw (reports, whitelist, optional patched SKILL.md). 2) Confirm you are comfortable granting exec:shell and write:filesystem to the skill (they're used for tests, dashboard launching, and monitor behavior). 3) If you only want audit reports and no persistence, avoid running the monitor or using the --fix option; run the CLI (--dir, --output) manually in a restricted environment. 4) Consider running the auditor in a sandbox (container or VM) or restricting its file-scope to a copy of your skills directory when performing initial scans. 5) If you do enable the dashboard or monitor, inspect the code (audit.js, monitor.js, dashboard.js, whitelist.js) yourself or have a trusted reviewer confirm the exact file writes and network bindings. If you need, ask me to point out the exact lines where files are written, where exec is called, or where reports/whitelist are saved.

Like a lobster shell, security has layers — review code before you run it.

latestvk9716nev31tk3718sqph0s9pm584jk2p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvHOME

Comments