ClawHub

Skill Guard

Security

SkillShield v4 — Ultimate security scanner for OpenClaw skills. 65 security checks, SARIF v2.1.0 output, CI/CD ready, campaign detection, C2 IP blocklist, known malicious actor database, macOS attack detection, agent config tampering, LLM tool exploitation, pre-commit hooks, and more. Python 3 stdlib only. Single file. Zero dependencies.

duplicate of @benlee2144/skill-threat-scanner·canonical: @benlee2144/benlee-skillguard

Install

openclaw skills install skillshield

SkillShield v4.0.0 — Ultimate Edition 🛡️

65 security checks | SARIF v2.1.0 | CI/CD ready | Zero dependencies

The most comprehensive security scanner for OpenClaw/ClawHub skills. Detects malware, credential theft, exfiltration, prompt injection, campaign signatures, agent takeover, macOS-specific attacks, and more.

Feature Comparison

FeatureSkillShield v4Skillvet v2
Total security checks6548
Python 3 stdlib only❌ (bash)
Single file❌ (multi-file)
SARIF v2.1.0 output
JSON output
Summary mode
Verbose mode
Pre-commit hook
GitHub Actions template
HTML dashboard report
Markdown report
Interactive mode
Quarantine system
Baseline/tamper detection
SBOM generation
Diff scanning
Custom rules engine
Risk scoring (weighted)
Check IDs (SS-001+)
Exit codes (0/1/2)
Known C2/IOC IP blocklist
Known malicious actors
Exfiltration endpoints
Paste service detection
Campaign detection (3)
Behavioral analysis
macOS attack detection
Agent config tampering
LLM tool exploitation
String evasion detection
Punycode domains
Double encoding
Password archive detection
Network fingerprinting
Reputation grading
Context-aware domain checks
Inline ignore comments
.skillshield-ignore file✅ (.skillvetrc)
Max file size option
Max depth option
16 file types scanned
Statistics footer

Usage

Scan all skills

python3 skills/skill-guard/scripts/skillguard.py scan

Check a single skill

python3 skills/skill-guard/scripts/skillguard.py check skills/some-skill

Check a directory of skills

python3 skills/skill-guard/scripts/skillguard.py check /path/to/skills

Output Formats

# JSON output (for automation)
python3 scripts/skillguard.py check skills/some-skill --json

# SARIF v2.1.0 (for GitHub Code Scanning / VS Code)
python3 scripts/skillguard.py check skills/some-skill --sarif

# Summary mode (one-line per skill)
python3 scripts/skillguard.py scan --summary

# Verbose mode (debug check progress)
python3 scripts/skillguard.py scan --verbose

# HTML dashboard
python3 scripts/skillguard.py scan --html report.html

# Markdown report
python3 scripts/skillguard.py scan --report report.md

CI/CD Integration

GitHub Actions (SARIF upload):

- name: Run SkillShield
  run: python3 skills/skill-guard/scripts/skillguard.py check skills/ --sarif > results.sarif || true

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Generate GitHub Actions workflow:

python3 scripts/skillguard.py ci > .github/workflows/skillshield.yml

Pre-commit hook:

python3 scripts/skillguard.py hook > .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Exit Codes

CodeMeaning
0Clean — no issues found
1Warnings only — suspicious findings
2Critical/malicious findings

All Commands

CommandDescription
scan [dir]Scan all skills (default: ~/clawd/skills/)
check <path>Scan a single skill or directory
watch [dir]One-liner summary for cron alerting
diff <name>Compare skill against baseline
quarantine <name>Move malicious skill to quarantine
unquarantine <name>Restore from quarantine
list-quarantineShow quarantined skills
sbom <name>Generate Software Bill of Materials (JSON)
hookGenerate git pre-commit hook
ciGenerate GitHub Actions workflow

All Options

FlagDescription
--jsonMachine-readable JSON output
--sarifSARIF v2.1.0 output
--summaryOne-line per skill output
--verboseShow check progress
--report <path>Markdown report file
--html <path>HTML dashboard report
--baselineForce re-baseline hashes
--interactiveReview findings interactively
--ciGenerate GitHub Actions workflow
--max-file-size NSkip files > N bytes
--max-depth NLimit traversal depth

False Positive Suppression

File-level: Create .skillshield-ignore in the skill:

Base64 encode/decode operation
HTTP request to unknown domain: my-legit-api.com

Inline: Add # skillshield-ignore comment:

url = "https://bit.ly/legit-link"  # skillshield-ignore

Security Checks (65 total)

Check IDs (SS-001 through SS-065)

IDCheckSeverityWeight
SS-001Outbound HTTP requestWARNING3
SS-002eval/exec callWARNING5
SS-003Dynamic importWARNING5
SS-004Base64 decode operationWARNING4
SS-005Base64 decodes to suspicious contentCRITICAL9
SS-006Hex string decodes to suspicious contentCRITICAL9
SS-007URL shortener detectedWARNING5
SS-008Executable data URIWARNING5
SS-009Hardcoded secretCRITICAL10
SS-010SSL verification disabledWARNING5
SS-011PATH modificationCRITICAL8
SS-012Library path modificationCRITICAL8
SS-013Shell execution (os.system)WARNING4
SS-014subprocess with shell=TrueCRITICAL7
SS-015Sensitive file accessCRITICAL8
SS-016Reverse shell patternCRITICAL10
SS-017DNS exfiltrationCRITICAL9
SS-018Crontab modificationCRITICAL8
SS-019System service creationCRITICAL8
SS-020Shell RC file modificationCRITICAL8
SS-021Time bomb patternWARNING6
SS-022Pickle deserializationCRITICAL9
SS-023Prompt injection overrideCRITICAL9
SS-024Prompt injection exfiltrationCRITICAL9
SS-025Social engineering phraseWARNING5
SS-026SVG JavaScriptCRITICAL8
SS-027SVG event handlerWARNING5
SS-028npm lifecycle hookCRITICAL8
SS-029Typosquat packageWARNING6
SS-030Binary executableCRITICAL9
SS-031Symlink to sensitive pathCRITICAL8
SS-032Archive fileWARNING4
SS-033Unicode homoglyphCRITICAL7
SS-034ANSI escape injectionWARNING5
SS-035Writes outside skill dirWARNING5
SS-036COMBO: sensitive + outboundCRITICAL10
SS-037COMBO: subprocess + sensitiveCRITICAL8
SS-038Campaign signature matchCRITICAL10
SS-039BEHAVIORAL: staged exfiltrationCRITICAL9
SS-040BEHAVIORAL: download + execCRITICAL9
SS-041BEHAVIORAL: env harvest + networkCRITICAL9
SS-042Clipboard accessWARNING4
SS-043Bulk env variable captureCRITICAL9
SS-044Permission mismatch (trojan)CRITICAL8
SS-045Known C2/IOC IP addressCRITICAL10
SS-046Known exfiltration endpointCRITICAL10
SS-047Paste service referenceCRITICAL7
SS-048GitHub raw content executionCRITICAL9
SS-049macOS Gatekeeper bypass (xattr)CRITICAL9
SS-050macOS osascript social engineeringCRITICAL8
SS-051TMPDIR payload stagingCRITICAL9
SS-052Keychain theftCRITICAL10
SS-053Password-protected archiveCRITICAL7
SS-054Double-encoded path bypassCRITICAL7
SS-055Punycode domain (IDN attack)CRITICAL7
SS-056String construction evasionCRITICAL7
SS-057Process persistence + networkCRITICAL9
SS-058Agent config tamperingCRITICAL9
SS-059LLM tool exploitationCRITICAL9
SS-060Fake prerequisite patternCRITICAL7
SS-061Network fingerprinting + exfilWARNING6
SS-062Known malicious actorCRITICAL10
SS-063Nohup/disown + networkCRITICAL9
SS-064chmod +x on downloaded fileCRITICAL8
SS-065open -a with downloaded binaryCRITICAL8

Campaign Detection

  • ClawHavoc — 386-skill wallet theft campaign with C2 beacons
  • twitter-enhanced — Typosquatting popular skills with hidden eval/exec
  • ClickFix — Social engineering to run clipboard commands

Known C2/IOC IP Blocklist

Based on reports from Koi Security, Bitdefender, Snyk:

  • 91.92.242.30 — AMOS C2 server
  • 54.91.154.110 — AMOS C2 server
  • 185.215.113.16 — ClawHavoc dropper relay
  • 45.61.136.47 — AMOS stage-2 payload
  • 194.169.175.232 — Atomic Stealer C2
  • 91.92.248.52 — ClawHavoc wallet exfil
  • 79.137.207.210 — Bandit Stealer C2
  • 45.155.205.172 — Generic macOS stealer C2

Known Malicious Actors

  • zaycv, Ddoy233, Sakaen736jih, Hightower6eu, aslaep123, davidsmorais, clawdhub1

File Types Scanned

.py, .js, .ts, .tsx, .jsx, .sh, .bash, .rs, .go, .rb, .c, .cpp, .md, .json, .svg, .yml, .yaml, .toml, .txt, .cfg, .ini, .html, .css, .env*, Dockerfile*, Makefile, pom.xml, .gradle

Performance

  • 25 real skills in < 1 second
  • 16 test cases in < 0.5 seconds
  • Single Python 3 file, zero dependencies
  • 2,800 lines of pure stdlib Python
More in Security