Skill Auditor v2

v2.0.0

Security scanner for OpenClaw skills. Detects malicious code, obfuscated payloads, prompt injection, social engineering, typosquatting, and data exfiltration...

⭐ 0· 616·0 current·0 all-time

by@aiwithabidi·fork of @sypsyp97/skill-auditor-pro

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for aiwithabidi/skill-auditor-v2.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Skill Auditor v2" (aiwithabidi/skill-auditor-v2) from ClawHub.
Skill page: https://clawhub.ai/aiwithabidi/skill-auditor-v2
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-auditor-v2

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-auditor-v2

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description indicate a security scanner; required binary is only python3; included files (audit_skill.py, quarantine.sh, IoC DB and pattern docs) match that purpose. Nothing in metadata asks for unrelated cloud credentials or system-wide privileges.

ℹ

Instruction Scope

SKILL.md instructs the agent to run the included Python scanner or the quarantine shell script against a provided skill path or slug. The doc and reference files include prompt‑injection signatures (e.g., 'ignore previous instructions') which triggered a pre-scan warning — this appears to be part of the scanner's rule set (expected) rather than an attempt to override the evaluator. The scanner may fetch remote skills when run with --slug (network I/O) — this is expected for a tool that audits remote packages, but you should be aware it will contact ClawHub or whatever remote endpoint the script implements.

✓

Install Mechanism

No installer or external download is declared. This is instruction + code bundled in the skill. No remote archive downloads or extract steps are performed by the registry metadata. Running the tools will execute local Python code only.

✓

Credentials

The skill declares no required environment variables or credentials. The scanner contains detection rules to look for many API‑key patterns and config paths but does not itself require any external secrets to operate.

✓

Persistence & Privilege

The skill is not always-enabled, does not request persistent system changes in metadata, and the quarantine script only copies quarantined files into a production directory if the user explicitly consents. No elevated platform privileges are requested in metadata.

Scan Findings in Context

[pre-scan:ignore-previous-instructions] expected: The pre-scan detected prompt-injection wording (e.g., 'ignore previous instructions'). These strings appear in references/prompt-injection-patterns.md and are part of the auditor's detection rules — expected for a tool that looks for prompt injection.

Assessment

This skill appears to be what it says: a Python-based auditor plus a shell quarantine helper. Before running it, review the bundled audit_skill.py (it will scan files and may fetch remote slugs) and quarantine.sh yourself, and run them in an isolated environment (container or VM) on untrusted skills. Be aware the --slug mode will perform network fetches to retrieve remote skills — if you need to avoid network I/O, run the auditor only against local directories. Confirm the default production directory in quarantine.sh matches your environment before approving any automatic copy/installation, and inspect audit-report.json results before installing any audited skill. The pre-scan prompt-injection flag is explained by the auditor including a list of injection signatures; this is expected but always worth a quick manual check because such patterns could be abused if the skill were modified by a malicious actor.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3

auditvk978ensqp0yvea4mfpdxtrcah1816a55latestvk978ensqp0yvea4mfpdxtrcah1816a55securityvk978ensqp0yvea4mfpdxtrcah1816a55

616downloads

0stars

1versions

Updated 2mo ago

v2.0.0

MIT-0

Skill Auditor v2.0 🔍🛡️

Comprehensive security scanner for OpenClaw/ClawHub skills. Merges static analysis, deobfuscation, and threat intelligence into a single Python tool.

When to Use

Before installing any third-party skill from ClawHub
When reviewing skill updates for security regressions
To audit your own skills before publishing
When someone asks: "is this skill safe?", "audit this", "check security"

Quick Start

Audit a local skill directory

python3 {baseDir}/scripts/audit_skill.py /path/to/skill --human

Audit a ClawHub skill by slug

python3 {baseDir}/scripts/audit_skill.py --slug skill-name --human

Quarantine workflow (audit + prompt to install)

bash {baseDir}/scripts/quarantine.sh /path/to/skill
bash {baseDir}/scripts/quarantine.sh --slug skill-name

JSON output for programmatic use

python3 {baseDir}/scripts/audit_skill.py /path/to/skill --json

Scoring System

Score	Level	Action
0–20	✅ SAFE	Auto-install OK
21–40	🟢 LOW RISK	Proceed with caution
41–60	🟡 MEDIUM RISK	Manual review required
61–80	🟠 HIGH RISK	Expert review needed
81–100	🔴 CRITICAL	Do NOT install

Exit codes: 0 = safe (≤20), 1 = review (21–60), 2 = dangerous (>60)

Detection Layers

Layer 1: Static Pattern Analysis

10+ scan categories with regex patterns
Shell execution, network calls, env access, filesystem escape
Prompt injection, data exfiltration, crypto wallet access
Dynamic imports, browser credential theft, fake prerequisites

Layer 2: Deobfuscation

Base64 string extraction and decode → re-scan decoded content
Hex escape sequence decode → re-scan
Detects hidden commands, C2 IPs in encoded payloads

Layer 3: Threat Intelligence

IoC database: known malicious IPs, domains
Social engineering detection: urgency, false authority, fear tactics
MITRE ATT&CK ID mapping on every finding
Whitelist system reduces score for safe binaries/domains

Additional Checks

SHA256 file inventory for integrity verification
Typosquat detection (Levenshtein distance on package names)
Zero-width character detection in SKILL.md
Comment-context severity reduction (findings in comments scored lower)
Permission scope analysis (what tools does the skill request?)

IoC Database

Structured threat data in references/ioc-database.json. Update when new threats emerge. The scanner auto-loads this file at runtime.

References

references/ioc-database.json — Structured IoC data (IPs, domains, patterns)
references/known-patterns.md — Human-readable threat documentation
references/prompt-injection-patterns.md — Prompt injection pattern reference

Credits

Built by M. Abidi | agxntsix.ai YouTube | GitHub Part of the AgxntSix Skill Suite for OpenClaw agents.

📅 Need help setting up OpenClaw for your business? Book a free consultation

Fork of skill-auditor-pro by sypsyp97, merged with skill-security-auditor by akm626.

Comments

Loading comments...