ClawHub

Skill Audit

v1.0.0

Automatically audits newly installed skills to validate structure, security, and health before activation, preventing broken or malicious skills from running.

0· 131·0 current·0 all-time
by@yoborlon-alpha

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yoborlon-alpha/claw-skill-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Audit" (yoborlon-alpha/claw-skill-audit) from ClawHub.
Skill page: https://clawhub.ai/yoborlon-alpha/claw-skill-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install claw-skill-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install claw-skill-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, and the included audit.sh are consistent: the skill is an on-disk auditor for other skills. It declares no env vars, binaries, or install steps that would be unrelated to this purpose.
Instruction Scope
SKILL.md instructs running the provided audit script against a target skill path. The script only reads files under the given directory, searches for common secret patterns, checks permissions, and reports results — it does not perform network exfiltration or require external services. Note: there are minor implementation bugs (a grep regex with a negative lookahead that standard grep -E may not support, and a shebang-detection loop that runs in a subshell so its flag may not be observable afterwards) which can produce false negatives/positives; these are quality issues rather than malicious behavior.
Install Mechanism
No install spec is provided and the package is instruction-only with a single shell script included. No remote downloads, archives, or package installs occur. Risk from installation is low.
Credentials
The skill requires no environment variables, no credentials, and no config paths. The script does not read or require sensitive system credentials.
Persistence & Privilege
always is false and the skill contains no code to persistently modify agent configuration or enable itself. It runs only when invoked and does not request elevated or persistent privileges.
Scan Findings in Context
[contains-secret-detection-rules] expected: audit.sh intentionally contains grep patterns to detect 'sk-...' API keys, 'password=', 'api_key=', and private key blocks — this is expected for a local audit tool and not a sign of exfiltration.
Assessment
This skill appears to do what it says: a local, read-only audit of a skill directory. Before running: (1) inspect audit.sh yourself (it's short and readable); (2) run it against a copy of the target skill or a non-sensitive test directory to avoid accidentally printing any secrets to your terminal; (3) remember the script only scans files under the provided path — do not point it at system or home directories; (4) be aware of minor bugs that may miss issues or produce false positives, so treat results as advisory and follow up with manual review for any WARN/FAIL output.

Like a lobster shell, security has layers — review code before you run it.

latestvk975n3rx63ret41k8mc4de7n6583tk1k
131downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@yoborlon-alpha
latest
Download

skill-audit

Newly installed OpenClaw skill safety inspector & audit tool.

Purpose

Automatically audit newly installed skills before activation. Validates structure, security, and basic health to prevent broken or malicious skills from affecting the system.

When to Use

  • After installing a new skill from ClawHub
  • Before enabling a skill for the first time
  • When debugging a malfunctioning skill
  • As part of routine skill maintenance

What It Checks

1. Structure Validation

  • SKILL.md exists and is readable
  • Required fields present: name, description, location
  • No broken internal links or references

2. Security Scan

  • No hardcoded secrets, API keys, or credentials
  • No suspicious external network calls (untrusted URLs)
  • File permissions safe (no world-writable scripts)

3. Health Check

  • Skill directory accessible
  • No circular imports or broken references
  • Basic syntax validity of SKILL.md

Usage

skill-audit <skill-path>

Example:

skill-audit ~/.openclaw/skills/my-new-skill
skill-audit /workspace/skills/awesome-skill

Output

  • PASS -- Skill passes all checks
  • WARN -- Minor issues found (non-blocking)
  • FAIL -- Critical issues found (blocking)
  • INFO -- Informational notes

Notes

  • Run as part of your installation workflow, not just when things break
  • Combine with clawhub skill for full install -> audit -> enable flow

Comments

Loading comments...