ClawHub

CrawSecure

v2.0.1

Offline security scanner that detects unsafe code patterns in ClawHub skills before installation to help users assess potential risks locally.

1· 1.8k·1 current·1 all-time
byDiogo Paes Dev@diogopaesdev
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim an offline security scanner, and the SKILL.md explicitly says this skill is documentation-only for an external CrawSecure CLI. No unrelated environment variables, binaries, or install steps are requested, which is proportionate for a documentation skill.
Instruction Scope
SKILL.md contains only documentation and guidance, explicitly states it performs no scanning or network access, and does not instruct the agent to read files, env vars, or execute commands. It does link to an external GitHub repo/website for the CLI — expected for a documentation skill.
Install Mechanism
There is no install spec and no bundled code. As an instruction-only skill this has the lowest install risk; any installation risk is deferred to the external CLI distribution referenced in the docs.
Credentials
The skill requests no environment variables, credentials, or config paths, which matches its documentation-only nature.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify agent/system settings. user-invocable and model invocation defaults are normal and acceptable for a docs skill.
Assessment
This skill is documentation-only and appears coherent, but the actual CrawSecure scanner it documents is an external binary you would download separately. Before installing or running that external CLI: 1) verify the GitHub repo and release artifacts (owner identity, tags) are legitimate; 2) check release checksums or signatures where available; 3) review the CLI source code if you can, or run it in a sandbox/non-privileged environment; 4) avoid running downloaded binaries as root; and 5) prefer official distribution channels (GitHub releases, official site) over third-party mirrors. Also be aware that the SKILL.md's statements about not accessing network or not executing code are descriptive — they cannot enforce behavior of any external CLI you choose to install.

Like a lobster shell, security has layers — review code before you run it.

auditvk976shphhrh19ynht9hrjtd531823bwpdeveloper-toolsvk976shphhrh19ynht9hrjtd531823bwplatestvk97dky7acktwmztwvp506vgnmd8258svopenclawvk976shphhrh19ynht9hrjtd531823bwpriskvk976shphhrh19ynht9hrjtd531823bwpsafetyvk976shphhrh19ynht9hrjtd531823bwpscannervk976shphhrh19ynht9hrjtd531823bwpsecurityvk976shphhrh19ynht9hrjtd531823bwpstatic-analysisvk976shphhrh19ynht9hrjtd531823bwptrustvk976shphhrh19ynht9hrjtd531823bwpverificationvk976shphhrh19ynht9hrjtd531823bwp
1.8kdownloads
1stars
7versions
Updated 1mo ago
v2.0.1
MIT-0
Diogo Paes Dev@diogopaesdev
auditdeveloper-toolslatestopenclawrisksafetyscannersecuritystatic-analysistrustverification
Download

CrawSecure

CrawSecure is a documentation-first security skill for the ClawHub / OpenClaw ecosystem.

This skill does not include executable code or binaries. Its purpose is to clearly document, explain, and guide the safe usage of the CrawSecure CLI, which is distributed and installed separately by the user.

The goal of this skill is to promote security awareness, transparency, and best practices when working with third‑party skills.

🔍 What this skill provides

  • Clear documentation of what CrawSecure analyzes
  • Explanation of risk signals and classifications
  • Guidance on how to use the CrawSecure CLI safely
  • Security philosophy and trust boundaries

ℹ️ This skill itself performs no scans and executes no code.

🧰 About the CrawSecure CLI

The CrawSecure CLI is an external, optional tool that users may install independently.

It performs local, offline static analysis of ClawHub / OpenClaw skills before installation or trust.

CLI distribution (external)

The CLI is not bundled with this skill.

🚨 Risk signals analyzed by the CLI

When used, the CrawSecure CLI may detect:

  • Dangerous command patterns
    (e.g. destructive or execution‑related behavior)
  • References to sensitive files or credentials
    (e.g. .env, .ssh, private keys)
  • Indicators of unsafe or misleading practices

Risk levels are classified as:

  • SAFE
  • MEDIUM
  • HIGH

🔒 Security & trust boundaries

This skill:

  • Does not execute code
  • Does not install software
  • Does not access the network
  • Does not modify files
  • Requests read‑only permissions only

Any actual scanning happens only if the user installs and runs the CrawSecure CLI from a trusted source.

✅ When to use this skill

  • To understand what CrawSecure checks and why
  • Before deciding to install or run the CrawSecure CLI
  • As a reference for safer skill development practices
  • To promote transparency inside the ClawHub ecosystem

📦 Version

v2.0.1 – Documentation‑only clarification release

This version clarifies scope and removes any ambiguity about bundled execution.

Comments

Loading comments...