ClawHub

OpenClaw Skill Auditor

v1.0.0

Scans ClawHub skills to detect malicious code, obfuscated payloads, and social engineering via pattern matching, deobfuscation, and LLM analysis before insta...

0· 1.4k·10 current·11 all-time
by@sypsyp97
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and the script implement a skill-auditor as described, but the runtime relies on external CLIs ('clawhub inspect' to fetch skills and optional 'gemini' for LLM analysis) even though the skill declares no required binaries/dependencies. That omission is an incoherence — a scanner that fetches remote skills and optionally runs LLM analysis legitimately needs those tools declared.
!
Instruction Scope
The instructions and script scan skill files (expected) but also copy suspicious snippets to a predictable /tmp file and explicitly instruct the OpenClaw agent to analyze them with an LLM. That workflow can expose full suspicious code to any LLM or other actor the agent uses. The SKILL.md also encourages reporting findings by emailing a personal address (steipete@gmail.com), which could leak code or sensitive material. The script itself does not exfiltrate over network, but its guidance promotes sending data externally.
Install Mechanism
No install spec (instruction-only) — the skill does not download or install third-party code at install time, which minimizes direct install risk.
Credentials
The skill does not request any environment variables or credentials (good). It scans target code for uses of $API_KEY, ~/.ssh, ~/.aws, etc., which is appropriate for a scanner. However, because it encourages copying suspicious snippets to /tmp and sending them for LLM analysis or email, there's a privacy/credential-leak risk if scanned code contains real secrets.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or system-wide settings. It runs on demand and uses temporary files, which is appropriate for a scanner.
Scan Findings in Context
[uses-clawhub-cli] expected: The script runs 'clawhub inspect' to fetch skills for analysis. That is necessary for a pre-install auditor, but the skill metadata does not list 'clawhub' as a required binary — the dependency should be declared.
[optional-gemini-llm-cli] expected: SKILL.md and script reference using a Gemini CLI for LLM intent analysis. Optional LLM tooling is reasonable, but it's not declared and the workflow copies suspicious code to /tmp for analysis, which can leak sensitive content to the LLM provider.
[writes-to-tmp-suspicious-file] unexpected: The script copies suspicious content to a predictable /tmp path (/tmp/skill-audit-<name>-suspicious.txt). For a scanner this is convenient, but predictable temporary file names increase the risk that other processes or users on the same host can read sensitive data.
[external-reporting-email] unexpected: SKILL.md instructs users to report suspicious skills by emailing steipete@gmail.com. Sending potentially sensitive code to a personal email is not required for auditing and could leak data; a formal reporting channel would be preferable.
What to consider before installing
This skill appears to implement a legitimate scanner, but review before use: (1) be aware it expects (but doesn't declare) the 'clawhub' CLI to fetch remote skills and optionally an LLM CLI (Gemini) for deeper analysis — install and verify those tools from trusted sources first; (2) run the auditor in an isolated sandbox or VM when scanning untrusted skills because it fetches remote skill packages; (3) the script writes collected suspicious snippets to a predictable /tmp file and suggests sending them to an LLM or emailing a personal address — do NOT send secrets or plaintext sensitive files to third-party LLMs or personal emails; (4) if you plan to use the LLM analysis path, configure it to use a trusted, privacy-preserving endpoint or do the analysis offline; and (5) ask the author to explicitly declare required binaries/dependencies and to remove or make the reporting workflow safer (use a private/internal reporting channel). If you need higher assurance, run the script on a throwaway environment and manually inspect its output before following any 'send' recommendations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dr8kh1c89pkjhmgmwp4rkt180q5cj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments