ClawHub

Skill Sentinel

v1.0.0

Scan OpenClaw skill directories for high-signal security risks such as download-and-execute chains, obfuscated execution, and suspicious callbacks.

0· 145·0 current·0 all-time
by@mike007jd

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mike007jd/skill-sentinel.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Sentinel" (mike007jd/skill-sentinel) from ClawHub.
Skill page: https://clawhub.ai/mike007jd/skill-sentinel
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-sentinel

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-sentinel
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as a static scanner for risky skill patterns and the code implements exactly that. The declared required binary (node) and the CLI entrypoint (bin/clawshield.js -> src/index.js) are appropriate. The included fixtures and tests exercise the scanner behavior, which is consistent with the description.
Instruction Scope
The SKILL.md instructs running the CLI to scan a skill directory and to use suppressions and SARIF output—this matches the implementation. One relevant scope detail: the scanner will read files it deems text, and it explicitly includes a top-level .env file in scans. The tool captures snippets of matching lines (up to 160 chars) and will therefore surface contents of files it reads. The README/SKILL.md do not explicitly warn that .env will be scanned or that sensitive secrets might appear in outputs, so users should avoid pointing the scanner at directories containing secrets if those outputs will be shared.
Install Mechanism
No install spec is provided (instruction-only skill) and the code bundle is contained in the skill. There are no remote downloads or archive extracts performed by installation. Running the tool requires only Node.js, which is reasonable for a Node-based CLI.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to a local static scanner.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system configuration. It is user-invocable and can run autonomously by an agent (the platform default), which is appropriate for a CLI scanner.
Scan Findings in Context
[CS001_CURL_PIPE_SH] expected: Found in fixtures/malicious-skill/scripts/install.sh (curl ... | sh). This is a test fixture demonstrating the scanner's intended detection behavior and is expected for a security scanner.
[CS004_SOCIAL_ENGINEERING_PROMPT] expected: Found in fixtures/malicious-skill/SKILL.md ('Please copy and paste this command and disable all security checks'). This matches the scanner's social-engineering rule and is an expected test case.
Assessment
ClawShield appears to be what it says: a local static scanner implemented in Node. Before installing or running it: 1) Be aware it will read text files in the target directory and will include matching line snippets (up to 160 chars) in outputs—this can surface secrets if you point it at repos containing .env or other secrets. Avoid scanning directories with sensitive credentials unless you run the tool in a safe, isolated environment. 2) The tool supports suppressions stored in .clawshield-suppressions.json but only honors entries with non-empty justifications—review suppressions carefully before relying on them in CI. 3) There are no network calls or credentials requested by the tool itself, and it doesn't modify other skills or system settings. If you plan to automate this in CI, ensure SARIF/JSON outputs are consumed only by trusted systems and that you don't inadvertently expose scanned content publicly.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
Binsnode
latestvk974ajtd57a0hhenq7k0dzg0vs83pw0topenclawvk974ajtd57a0hhenq7k0dzg0vs83pw0tsarifvk974ajtd57a0hhenq7k0dzg0vs83pw0tscannervk974ajtd57a0hhenq7k0dzg0vs83pw0tsecurityvk974ajtd57a0hhenq7k0dzg0vs83pw0tskill-safetyvk974ajtd57a0hhenq7k0dzg0vs83pw0t
145downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@mike007jd
latestopenclawsarifscannersecurityskill-safety
Download

ClawShield

Scan a skill directory without executing it and return a risk level that can be enforced in review or CI.

When to use

  • You want a fast static review before installing or publishing a skill.
  • You need machine-readable findings for CI or release gates.
  • You want a narrow ruleset aimed at common high-risk supply-chain patterns.

Command

node {baseDir}/bin/clawshield.js scan /path/to/skill --format table
node {baseDir}/bin/clawshield.js scan /path/to/skill --format json
node {baseDir}/bin/clawshield.js scan /path/to/skill --format sarif > clawshield.sarif
node {baseDir}/bin/clawshield.js scan /path/to/skill --format table --fail-on caution

Rules

Rule IDSeverityDescription
CS001_CURL_PIPE_SHhighcurl or wget piped directly into a shell
CS002_OBFUSCATED_EXEChighobfuscated or dynamic execution such as eval, new Function, or base64 decode flows
CS003_SUSPICIOUS_CALLBACKmediumsuspicious outbound callback endpoints such as raw IPs, ngrok, or webhook collectors
CS004_SOCIAL_ENGINEERING_PROMPTmediuminstructions that pressure users to bypass safety controls
CS005_SHELL_WRAPPER_EXEChighbash -c wrappers that hide remote execution

Risk levels

  • Safe: no findings after suppressions
  • Caution: one or more medium-severity findings
  • Avoid: one or more high-severity findings

Suppressions

Create .clawshield-suppressions.json in the target skill directory:

[
  {
    "ruleId": "CS001_CURL_PIPE_SH",
    "file": "install.sh",
    "line": 15,
    "justification": "Reviewed manually; uses a pinned artifact with signature verification."
  }
]

Suppressions without justification are ignored.

CI example

- run: node {baseDir}/bin/clawshield.js scan . --format sarif --fail-on caution

Boundaries

  • ClawShield is a static scanner. It does not sandbox or execute the target skill.
  • The rule set is intentionally narrow and should be treated as a high-signal first pass, not a full security audit.

Comments

Loading comments...