Skill Security Auditor Jack

Audit third-party or custom skills for permission risk, unsafe commands, and integration safety. Use before: installing a new skill, enabling external script...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 36 · 1 current installs · 1 all-time installs

by@sunbinnju-star

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name and description match the SKILL.md content: it is an auditor that expects skill metadata and installation details as input. It doesn't request unrelated credentials, binaries, or system access.

✓

Instruction Scope

Runtime instructions define what to inspect (manifests, install steps, env usage, shell commands) and what to flag. The SKILL.md does not instruct the agent to read host secrets or run arbitrary commands itself — it only prescribes checks to perform on provided inputs.

✓

Install Mechanism

No install spec and no code files are provided, so nothing is written to disk or fetched. This reduces risk and is proportional for an instruction-only auditor.

✓

Credentials

The skill declares no required environment variables or credentials. The auditor correctly lists environment-related issues to flag in other skills rather than requesting secrets itself.

✓

Persistence & Privilege

always is false and the skill is user-invocable. It does not request persistent or elevated privileges and does not modify other skills' configuration in its instructions.

Assessment

This skill is instruction-only and coherent with its purpose: it defines checks and an output schema but does not itself perform installs or request secrets. Keep in mind: (1) its effectiveness depends on accurate inputs — it will not automatically fetch or verify remote code unless the agent supplies that data; (2) treat its audit as advisory, not authoritative — for high-risk skills follow up with manual code review; (3) when adopting untrusted skills, prefer sandboxed execution or manual review even if the auditor reports low risk. If you want stronger guarantees, run this auditor alongside actual inspections of the install artifacts and source repository rather than relying solely on its textual analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97etymk3n9q2dh28mbvtnhwmn83qxh7

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill Security Auditor

Audit skills for supply-chain, privilege, and automation risk before adoption.

Input

Required:

skill_manifest — the skill's SKILL.md or metadata
source_location — where the skill comes from (clawhub, git, local, unknown)
required_permissions — what permissions the skill requests
shell_commands — any shell/CLI commands referenced by the skill
env_usage — environment variables the skill reads or writes
install_steps — how the skill is installed / what it runs on install

Output Schema

risk_level: "low" | "medium" | "high" | "critical"

suspicious_actions: {
  action: string
  location: string
  severity: "warning" | "critical"
  description: string
  recommendation: string
}[]

over_privileged_points: {
  permission: string
  why_needed: string | null
  why_excessive: string
  recommendation: string
}[]

install_recommendation: "approve" | "approve_with_sandbox" | "reject" | "manual_review"

sandbox_recommendation: {
  recommended: boolean
  isolation_level: "none" | "process" | "network" | "full"
  reasons: string[]
} | null

audit_summary: string    # one paragraph honest summary

Risk Levels

Level	Criteria
low	Minimal permissions, no shell, no env secrets, known source
medium	Some filesystem access or env usage, known source
high	Shell commands, broad permissions, or unknown source
critical	Opaque install scripts, secret access, eval/exec patterns

Suspicious Actions to Flag

eval, exec, Function() — code execution
curl / wget with pipe to shell — remote code download
chmod +x / sudo — privilege escalation
Reading ~/.ssh, /etc/passwd, environment secrets
Network calls to unknown hosts
Base64-encoded or obfuscated commands
Install scripts that fetch from unknown URLs

Over-Privileged Points to Flag

Filesystem access beyond the skill's stated scope
Broad read permissions on entire directories
write access to system paths
Environment variables containing tokens/keys
Network access not strictly needed for stated function

Source Trust Levels

Source	Trust
ClawHub verified	medium (review anyway)
Known git repo	medium
Local skill	high
Unknown URL	low
Copy-pasted code	very low

Rules

Never default-approve high-privilege skills. Burden of proof is on the skill, not the auditor.
Flag remote install scripts and opaque shell chains. If you can't see what runs, flag it.
Flag access to secrets, env vars, filesystem, or network where not strictly needed.
Recommend isolation for untrusted skills. Better safe than sorry.

Failure Handling

If source trust cannot be established:

Default to risk_level = "high" minimum
Recommend reject or manual_review
Do not fabricate a clean audit
Explicitly state what could not be verified

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…