ClawHub

Skill Scanner

Security checks for installing skills, packages, or plugins. Use BEFORE any `npm install`, `openclaw plugins install`, `clawhub install`, or similar install...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 0 · 0 current installs · 0 all-time installs
by@sudhindrat
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md content: it is a pre-install security checklist for skills/packages. There are no unrelated environment variables, binaries, or installs requested that would be disproportionate to the stated purpose.
Instruction Scope
The runtime instructions are advisory (inspect package.json, run `npm info`, `npm audit`, check repos, look for downloads/lifecycle scripts, etc.). This is appropriate for a security checklist. One minor mismatch: the skill expects tools like `npm` and `git` to be available but the metadata does not declare required binaries — that is reasonable given it's instruction-only but worth noting so an operator knows these checks rely on external CLI tools.
Install Mechanism
No install spec and no code files — lowest-risk category. The skill does not download or execute third-party code itself.
Credentials
The skill requests no credentials, environment variables, or config paths. Its guidance to look for credential-access patterns (e.g., `.env`, `~/.ssh/`) is appropriate for its purpose rather than an attempt to access them.
Persistence & Privilege
always is false and the skill is user-invocable. Model invocation is allowed (default) but that is appropriate for a helper skill and not excessive given the skill has no install or credential requests.
Assessment
This skill is a safe, instruction-only checklist you can use before installing packages. Before you rely on it: ensure the environment where checks run has npm/git if you want the automated commands to work; review any commands the agent would execute (it may run `npm info`, `npm audit`, or inspect package.json); treat the checklist as guidance — it doesn't auto-block installs; and continue to require explicit user approval before running or installing anything flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9714965rk97pxpavg4hn6pn4n830hrz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill Security

Run these checks before installing ANY skill, package, or plugin. Always warn the user before proceeding.

Pre-Install Checklist

1. Source Verification

  • Is it from clawhub.com (vetted) or a random npm package?
  • Who's the author? Do they have other packages / reputation?
  • Is there a GitHub repo? Check for recent commits, open issues, maintainer activity.

2. Popularity Check

  • npm info <package> — check weekly downloads, last publish date, version history
  • Low downloads (< 100/week) + recent publish = higher risk

3. Dependency Audit

  • npm info <package> dependencies — how many deps does it pull in?
  • More dependencies = larger attack surface
  • Flag packages with 50+ transitive dependencies

4. Lifecycle Scripts (HIGH RISK)

  • Check for preinstall, install, postinstall scripts — these run arbitrary code
  • npm info <package> scripts or inspect package.json
  • pnpm blocks these by default; npm does NOT
  • If lifecycle scripts exist, flag it explicitly to the user

5. Scan After Install

  • npm audit after install to catch known vulnerabilities

6. Check for Dynamic Content

  • Search the skill code for URLs that are fetched at runtime
  • Skills that download and execute content from external endpoints can change behavior after install

Red Flags — Stop and Ask

  • 🚩 Package published very recently with no history
  • 🚩 Maintainer has no other packages or reputation
  • 🚩 Package name similar to a popular one (typosquatting: e.g., reqeust vs request)
  • 🚩 Requests permissions beyond what it claims to do
  • 🚩 No GitHub repo, or repo is empty/suspicious
  • 🚩 Postinstall scripts that download from unknown URLs
  • 🚩 Dynamic content fetching — skill calls external URLs at runtime (2.9% of ClawHub skills do this; payload can change after install)
  • 🚩 Base64 in install instructions — ClickFix social engineering pattern (fake errors → paste base64 command → malware)
  • 🚩 New uploader, bulk uploads — single user uploading many skills rapidly (ClawHavoc: 354 skills from one account)
  • 🚩 Skill references credential paths~/.openclaw/credentials/, ~/.clawdbot/.env, .env files

Core File Protection

Skills are NEVER allowed to modify these files without explicit user approval:

  • SOUL.md — agent identity
  • AGENTS.md — agent rules
  • IDENTITY.md — agent metadata
  • USER.md — user's personal info
  • MEMORY.md or memory/*.md — agent memories
  • TOOLS.md — infrastructure notes

Data Exfiltration Checks

After installing a skill, before running it:

  1. Read SKILL.md — understand what the skill does
  2. Check file paths — does it reference paths outside its own directory and workspace?
  3. Check exec commands — does it curl to unknown domains?
  4. Check write/edit calls — are target paths outside workspace/?
  5. Check for credential access.env, ~/.ssh/, ~/.gnupg/, API keys
  6. Check for dynamic content — does it fetch and execute content from external URLs at runtime? (Snyk: 2.9% of ClawHub skills do this)

ClawHub-Specific Checks

When installing from ClawHub:

  • Check uploader history — is this a new account? Do they have other skills? Bulk uploads from unknown accounts = red flag (ClawHavoc: 354 skills from one malicious account)
  • Check skill stars/reviews — community feedback is a signal, not proof
  • Check VirusTotal — OpenClaw has a VirusTotal partnership; check if the skill has been scanned
  • Verify semantic versioning — legitimate skills typically have version history and changelogs
  • Search for security reports — search web for "[skill-name] malicious" before installing

Known Attack Campaigns (as of March 2026)

Reference for identifying patterns:

  • ClawHavoc — 300+ coordinated skills, ClickFix social engineering, downloads Atomic Stealer (AMOS)
  • AuthTool — dormant payload, activates on specific natural language prompts, establishes reverse shell
  • Hidden Backdoor — fake "Apple Software Update" during install, encrypted tunnel to attacker
  • Credential Exfiltration — targets ~/.clawdbot/.env and ~/.openclaw/credentials/ for API keys

Red Flags — Skill Behavior

  • 🚩 Skill reads .env or credential files
  • 🚩 Skill makes network requests to unfamiliar domains
  • 🚩 Skill writes to paths outside workspace
  • 🚩 Skill modifies core files (SOUL, AGENTS, MEMORY, USER, IDENTITY, TOOLS)
  • 🚩 Skill sends data to external URLs not part of stated purpose

What To Tell The User

Before installing, give a brief summary:

"⚠️ Installing [package]: [downloads/week], [last updated], [dep count] deps, [lifecycle scripts?]. Looks [clean/sketchy] — proceed?"

If red flags found:

"🚩 Flags on [package]: [list issues]. Want me to proceed anyway?"

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…