ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scan Skill

v1.1.1

Deep security analysis of an individual skill before installation

0· 1.3k·2 current·3 all-time
by@itsnishi
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a pre-install scanner and the package contains a scanner (scripts/scan_skill.py) plus a pattern database (scripts/patterns.py). The allowed tools (Read, Glob, Grep, Bash) and the instruction to run the included python scanner are consistent with scanning a skill directory.
Instruction Scope
SKILL.md instructs the agent (or user) to run the included python scanner against a target skill directory. The scanner reads all files under the provided directory and reports findings (including secrets). That file I/O is expected for this purpose, but be aware the tool will enumerate and print contents from whatever path you point it at — so only scan directories you intend to inspect.
Install Mechanism
No install spec — instruction-only with bundled scripts. The scanner code is included directly in the skill (no external downloads or package installs), which is proportionate for a local analysis tool.
Credentials
The skill requests no environment variables or external credentials. The pattern database contains regexes to detect secrets, but the skill itself does not require or access secrets from your environment.
Persistence & Privilege
Registry flags show disable-model-invocation: true and always is false. The skill is not auto-invocable and does not request persistent/system-wide changes. It does not attempt to modify other skills' configs in the provided code.
Assessment
This skill appears to do exactly what it says: run a local scanner on a skill directory. Before using it, (1) review the bundled scripts yourself (you have them in the package) to confirm they don't execute code from scanned projects, (2) run the scanner in a sandbox or with least-privilege access if you will scan untrusted repositories, and (3) only point it at directories you intend to expose to a scanner (it will read files and report secrets it finds). The presence of 'Bash' in allowed-tools is explainable (the scanner runs via a shell command) and is mitigated by disable-model-invocation: true, but if you prefer extra caution, run the included python script manually in your environment rather than granting tool execution to an agent.
scripts/patterns.py:357
Shell command execution detected (child_process).
scripts/patterns.py:350
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975976b5ey1yed94w856rtp7x83q63rsecurityvk974anmsaxcqndz9jwch71pwan80qevq
1.3kdownloads
0stars
3versions
Updated 6h ago
v1.1.1
MIT-0
@itsnishi
latestsecurity
Download

scan-skill -- Individual Skill Analyzer

Perform deep security analysis of a single skill directory before installation. Checks for all known injection techniques from AI agent security research.

What to do

Run the scanner against the target skill directory:

python3 "$SKILL_DIR/scripts/scan_skill.py" "$ARGUMENTS"

Where $ARGUMENTS is the path to the skill directory to analyze.

If no argument is provided, prompt the user for the path to the skill they want to scan.

What it checks

  • SKILL.md frontmatter analysis (dangerous field combinations, hidden skills, pre-approved tools)
  • Hidden HTML comments with imperative instructions
  • Shell command patterns (remote-code-pipe-to-shell, encoded payloads)
  • Description persistence triggers (forced repeated execution keywords)
  • Supporting files analysis (scripts/ directory contents, executable permissions)
  • Dynamic context injection (preprocessor command execution)
  • Encoding and obfuscation (base64, hex, zero-width characters)
  • Instruction override attempts (context manipulation, role impersonation)

Output

Structured report with severity-ranked findings and specific recommendations per finding. Includes frontmatter analysis summary and supporting file inventory.

When to use

  • Before installing a skill from a public repository or marketplace
  • When reviewing a skill contributed by an external party
  • As part of security review before adding skills to your agent configuration

Advisory hooks

The repository's .claude/settings.json includes PreToolUse hooks that warn on dangerous Bash and Write operations. These hooks are advisory only -- they produce warnings but do not block execution.

  • scan-skill is the detection layer for individual skill threats
  • The hooks provide supplementary runtime warnings during agent operation
  • To enforce blocking, hooks must return {"decision": "block"} instead of warning messages

Comments

Loading comments...