Security Audit (Sona)
v0.1.3Fail-closed security auditing for OpenClaw/ClawHub skills & repos: trufflehog secrets scanning, semgrep SAST, prompt-injection/persistence signals, and supply-chain hygiene checks before enabling or installing.
⭐ 1· 2.5k·4 current·4 all-time
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (fail-closed security audit) match the declared binaries (trufflehog, semgrep, jq, python3) and the provided scripts implement trufflehog/semgrep runs plus a Python hostile-audit scanner. The requested install packages and subprocess allowances are proportionate to the stated purpose.
Instruction Scope
SKILL.md and scripts instruct the agent to run scripts/run_audit_json.sh <path>, which legitimately reads the target repo/workspace and runs trufflehog/semgrep/hostile_audit.py. The scanner searches file contents for prompt-injection, exfiltration and persistence patterns — expected for this tool. One convenience wrapper (scripts/security_audit.sh) contains hard-coded user-specific paths (e.g., /home/virta/.openclaw/workspace/hybrid_orchestrator) which is an operational oddity you should inspect or edit before using; otherwise instructions do not attempt to transmit findings to external endpoints.
Install Mechanism
Install spec uses apt/brew for jq/trufflehog/semgrep and a shell pipx flow for semgrep (python3 -m pip install --user pipx && pipx install semgrep). These are reasonable but not zero-risk: pipx installs into the user environment (~/.local/bin) and the install script may modify PATH visibility. No opaque downloads or URL shorteners are used.
Credentials
No secrets or unrelated environment variables are requested. The only runtime env var referenced is OPENCLAW_AUDIT_LEVEL (for strictness), and run_audit_json.sh adds $HOME/.local/bin to PATH so pipx-installed binaries are visible. The tool intentionally scans filesystem targets provided by the user — that broad file access is expected for an auditor.
Persistence & Privilege
The skill does not request 'always: true' or elevated persistent presence. It does write temporary files under a tempdir and may write reports to user-specified paths; the manifest/docs describe quarantine/workdir locations. The wrapper script intentionally swallows non-zero exit codes (prints JSON and exits 0) — useful for embedding but something to be aware of when scripting behavior.
Assessment
This skill appears to be what it says: a conservative, fail-closed repo/skill auditor that runs trufflehog, semgrep, and a custom Python scanner. Before installing or running it: 1) Run it on a quarantined copy of the repository (do not point it at / or sensitive live directories). 2) Inspect and, if needed, edit scripts/security_audit.sh which contains hard-coded paths (/home/virta/...) so it doesn't scan unintended locations. 3) Expect pipx to be installed into your user environment (~/.local/bin); run_audit_json.sh prepends that path. 4) Confirm you want a fail-closed workflow: the tool treats missing manifest/lockfiles/persistence signals as FAIL by design. 5) If you need offline/no-network guarantees, ensure trufflehog/semgrep are run with update checks disabled (the repo notes this) and review semgrep/trufflehog versions before trusting results. 6) If you are uncertain, run the scripts manually on a copy and review the produced JSON before integrating into automated install/promotion flows.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🛡️ Clawdis
Binsjq, trufflehog, semgrep, python3
Install
Install jq (brew)
Bins: jq
brew install jqInstall trufflehog (brew)
Bins: trufflehog
brew install trufflehogInstall semgrep (brew)
Bins: semgrep
brew install semgrepauditclawhubdevsecopslatestopenclawprompt-injectionsecuritysemgrepsupply-chaintrufflehog
security-audit
A hostile-by-design, fail-closed audit workflow for codebases and OpenClaw/ClawHub skills.
It does not try to answer “does this skill work?”. It tries to answer: “can this skill betray the system?”
What it checks (high level)
This skill’s scripts combine multiple layers:
- Secrets / credential leakage: trufflehog
- Static analysis: semgrep (auto rules)
- Hostile repo audit (custom): prompt-injection signals, persistence mechanisms, suspicious artifacts, dependency hygiene
If any layer fails, the overall audit is FAIL.
Run an audit (JSON)
From this skill folder (use bash so it works even if executable bits were not preserved by a zip download):
bash scripts/run_audit_json.sh <path>
Example:
bash scripts/run_audit_json.sh . > /tmp/audit.json
jq '.ok, .tools' /tmp/audit.json
Security levels (user configurable)
Set the strictness level (default: standard):
OPENCLAW_AUDIT_LEVEL=standard bash scripts/run_audit_json.sh <path>
OPENCLAW_AUDIT_LEVEL=strict bash scripts/run_audit_json.sh <path>
OPENCLAW_AUDIT_LEVEL=paranoid bash scripts/run_audit_json.sh <path>
standard: pragmatic strict defaults (lockfiles required; install hooks/persistence/prompt-injection signals fail)strict: more patterns become hard FAIL (e.g. minified/obfuscation artifacts)paranoid: no "best-effort" hashing failures; more fail-closed behavior
Manifest requirement (for zero-trust install workflows)
For strict/quarantine workflows, require a machine-readable intent/permissions manifest at repo root:
openclaw-skill.json
If a repo/skill does not provide this manifest, the hostile audit should treat it as FAIL.
See: docs/OPENCLAW_SKILL_MANIFEST_SCHEMA.md.
Optional: execution sandbox (Docker)
Docker is optional here. This skill can be used for static auditing without Docker.
If you want to execute any generated/untrusted code, run it in a separate sandbox workflow (recommended).
Files
scripts/run_audit_json.sh— main JSON audit runnerscripts/hostile_audit.py— prompt-injection/persistence/dependency hygiene scannerscripts/security_audit.sh— convenience wrapper (always returns JSON, never non-zero)openclaw-skill.json— machine-readable intent/permissions manifest
Comments
Loading comments...