ClawHub

Pre-Install Scanner

v1.1.0

Pre-install safety check for ClawHub skills — scans for the 3 highest-risk signals before anything lands on disk. Free taster. Full 10-signal scanner in the...

0· 103·0 current·0 all-time
by@ordo-tech

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ordo-tech/skill-pre-install-scanner.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pre-Install Scanner" (ordo-tech/skill-pre-install-scanner) from ClawHub.
Skill page: https://clawhub.ai/ordo-tech/skill-pre-install-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-pre-install-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-pre-install-scanner
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirements and instructions: the skill fetches SKILL.md/meta from ClawHub and scans for exec+network, hardcoded URLs, and publisher verification. Required tools (web_fetch, web_search) are appropriate and no unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions are limited to fetching manifests, checking patterns (exec/network, URLs), and looking up publisher metadata. The docs show specific fetch endpoints and clear risk/rating rules. One minor note: the text says it "intercepts a clawhub install" — this is coherent if the platform invokes the skill pre-install, but the operator should confirm the platform actually triggers the skill at that hook.
Install Mechanism
No install spec and no code files that would be written or executed on disk; instruction-only approach is lowest-risk for installation. Nothing is downloaded from arbitrary URLs by the skill itself.
Credentials
No environment variables, keys, or config paths requested. The checks it performs (web fetch/search) do not require additional credentials, so requested access is proportionate to purpose.
Persistence & Privilege
Skill is not always-enabled and does not request elevated or cross-skill configuration changes. It instructs blocking installs and requiring --force overrides, which is appropriate behavior for a pre-install gate.
Assessment
This skill is instruction-only and coherent with its stated purpose: it fetches skill manifests and flags risky patterns before install, and it doesn't ask for secrets. Before installing, confirm your platform actually invokes pre-install skills at the install hook (so the "intercept" claim is meaningful). Also remember this is a free 3-signal taster — it is not a full audit, so consider running a post-install scanner or using the full Security Pack for deeper checks. Beware of external purchase links (Gumroad) if you consider buying the full pack.

Like a lobster shell, security has layers — review code before you run it.

latestvk9776yatn276gy36kf1bsr5dts84ff9e
103downloads
0stars
2versions
Updated 2w ago
v1.1.0
MIT-0
@ordo-tech
latest
Download

Pre-Install Scanner (Free)

Intercept a clawhub install request and run a quick safety check — before anything is written to disk.

Signals included (free version — 3 of 10):

SignalTierWhat it catches
shell+network comboHIGHexec + outbound network in same skill — classic exfil pattern
hardcoded-external-urlHIGHRaw external URLs embedded in instructions
unverified-publisherMEDIUMPublisher has no verified badge on clawhub.com

Not included (full version — Security Pack):

  • Data exfiltration pattern detection
  • Suspicious exec chain analysis (curl | bash, base64 -d | bash)
  • Source unreachable handling
  • Missing/vague description flag
  • Excessive permissions check
  • New publisher signal
  • No changelog signal

Get all 10 signals → ClawHub Security Pack

When to run

  • "Install [skill-name] from ClawHub" — runs automatically before install
  • "Is [skill-name] safe to install?" — on-demand scan
  • "clawhub install [skill-name]" — intercepts and scans first

Output format

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔍 Pre-Install Scan (Free — 3/10 signals): <skill-name>
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Publisher : <name> [verified / unverified]
Version   : <version>
Risk      : LOW | MEDIUM | HIGH

Flags:
  ⚠️  <signal>  — <one-line explanation>

Summary: <1–2 sentences>
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

*Full 10-signal scan: https://theagentgordo.gumroad.com/l/clawhub-security-pack*

Actions by rating

RatingAction
LOWProceed with install
MEDIUMWarn user, ask for confirmation
HIGHBlock install. Requires --force to override

Requirements

  • web_fetch — to retrieve the SKILL.md from ClawHub
  • web_search — to check publisher standing
  • No API keys required

Support

https://clawhub.com/@ordo-tech | Full pack: https://theagentgordo.gumroad.com/l/clawhub-security-pack

Comments

Loading comments...