ClawHub

Shoofly Plugin Scan

v0.1.0

Pre-install plugin security scanner for OpenClaw plugins

0· 114·0 current·0 all-time
by@wow-leeroy-jenkins05

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wow-leeroy-jenkins05/shoofly-plugin-scan.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Shoofly Plugin Scan" (wow-leeroy-jenkins05/shoofly-plugin-scan) from ClawHub.
Skill page: https://clawhub.ai/wow-leeroy-jenkins05/shoofly-plugin-scan
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shoofly-plugin-scan

ClawHub CLI

Package manager switcher

npx clawhub@latest install shoofly-plugin-scan
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes checks you would expect from a pre-install security scanner (credential patterns, obfuscated code, network URLs, sensitive path references, exec patterns). There are no unrelated required env vars, binaries, or install steps.
Instruction Scope
The instructions are high-level and scoped to scanning a plugin directory. However, the wording around "Sensitive path access — ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd" is ambiguous: it likely means "look for code that accesses these paths" rather than "read these paths on the host," but the doc does not explicitly forbid or clarify reading host system files or making network requests. Clarification is recommended.
Install Mechanism
No install spec and no code files — this is instruction-only, which minimizes risk because nothing is downloaded or written by default.
Credentials
No environment variables, credentials, or config paths are required in the registry metadata; that is proportionate for a static scanner.
Persistence & Privilege
Does not request always:true or any persistent/system-wide changes. Default autonomous invocation allowed (normal for skills) but there is no indication the skill would modify other skills or agent config.
Assessment
This appears to be a coherent instruction-only plugin scanner. Before installing or running it, ask the author (or check implementation) to confirm two things: (1) the scanner only analyzes files in the provided plugin directory and does not read host-sensitive files (e.g., ~/.ssh, ~/.aws, /etc/passwd) or other unrelated system paths; and (2) it does not exfiltrate plugin contents or make external network calls — the "Unusual network calls" check should be a pattern check, not an outbound fetch. Also verify the scanner's provenance (source code or homepage) before trusting results, and run it on untrusted plugins inside a sandbox or isolated environment until you confirm its behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dd8dwy8j2anzj7x3js9fq4s83f6q1
114downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@wow-leeroy-jenkins05
latest
Download

shoofly-plugin-scan

Scans an OpenClaw plugin directory for security issues before installation.

Usage

shoofly-plugin-scan <path-to-plugin>

Checks

  1. Credential patterns — API keys (sk-, ghp_, AKIA*), private keys
  2. Obfuscated code — long hex/base64 strings, eval(), Function() constructor
  3. Unusual network calls — URLs not in the trusted allowlist
  4. Sensitive path access — ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd, credentials
  5. Exec patterns — child_process.exec with variable args, shell: true

Exit codes

CodeMeaning
0Clean — no findings
1Findings — review before installing
2Scan error

Allowlisted hosts

github.com, npmjs.com, openclaw.ai, clawhub.com, shoofly.dev

Comments

Loading comments...