ClawHub

Yoder Skill Auditor

v3.1.0

The definitive security scanner for OpenClaw skills. 18 security checks including prompt injection detection, download-and-execute, privilege escalation, cre...

3· 5.7k·4 current·6 all-time
by@yoder-bawt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, and required binaries (python3, bash) align with an on-disk auditor implementation. However the package contains an entire `tests/` tree of intentionally 'malicious' fixtures (curl|bash chains, sudo/setuid, reading ~/.ssh, prompt-injection HTML comments, etc.) while the changelog and SKILL.md explicitly claim that `tests/` is excluded from distributed packages via .clawignore. Including these test fixtures in the published bundle contradicts that claim and is unexpected for a 'production' scanner distribution.
!
Instruction Scope
Runtime instructions direct the agent to run audit.sh, inspect.sh, trust_score.py and other scripts which scan skill directories and may invoke clawhub to download remote skills. The scanner intentionally excludes `tests/` from scanning and implements a PATTERN_DEF_FILTER to avoid self-flagging. Those two behaviors are reasonable for a self-auditing tool but also create avenues to hide or silence findings if malicious content is placed in excluded locations or crafted to look like 'pattern definitions'. The SKILL.md and scripts also instruct the user to run test.sh; the repo's test fixtures include dangerous commands — the docs warn not to execute them, but their presence in the package increases risk if a user accidentally runs tests.
Install Mechanism
There is no install spec (instruction-only / scripts included). This lowers remote-install risk. The skill does ship executable scripts (bash/python) that will be present on disk if the user installs the package — there's no remote download/install step embedded in the skill itself. However inspect.sh will call the external `clawhub` CLI and download skills to a temp dir, which implies network access when used.
Credentials
The skill declares no required environment variables or secrets and only requires python3 and bash, which is proportional. That said the codebase contains detection patterns that reference many secret names (OPENAI_API_KEY, AWS credentials, BW_SESSION, etc.) which is expected for a scanner. Also some test fixtures contain explicit reads of ~/.ssh, ~/.aws/credentials and network exfiltration endpoints — again appropriate for test coverage but potentially alarming if the tests remain included in a distributed package.
Persistence & Privilege
The skill does not request always: true and does not declare elevated privileges. It does not auto-install or autoregister itself. Inspect.sh explicitly documents it will not auto-install skills. No evidence the skill writes to other skills' configs or attempts system-wide changes as part of normal operation.
Scan Findings in Context
[ignore-previous-instructions] expected: A prompt-injection pattern was found (e.g., HTML comment 'ignore all previous instructions...') inside the test fixture `tests/malicious-prompt-injection/SKILL.md`. That is expected for a security scanner's negative test fixtures, but the presence of the test fixture in the shipped package (despite documentation saying tests are excluded) is the concerning part.
What to consider before installing
This package largely implements the advertised auditor, but I recommend caution before installing or running it in a production environment. Specific actions to take: 1) Verify why the `tests/` directory (contains intentionally malicious fixtures) is present despite SKILL.md/CHANGELOG claims it should be excluded; prefer a build that omits tests. 2) Inspect the PATTERN_DEF_FILTER and the audit.sh exclusions — these are meant to silence self-matching detection rules but could be abused to hide real issues; ensure the filter doesn't over-broaden exclusions. 3) Never execute the test fixtures on a production host; run scans and any test.sh in a fully isolated sandbox or VM with no sensitive credentials and no network access (or restricted network). 4) When using inspect.sh, be aware it will invoke the clawhub CLI and download remote code — run that in a sandbox and review downloaded contents before executing anything. 5) Consider cross-checking results with an independent scanner or manual review (especially for critical findings) because the auditor downgrades allowlisted skills and uses heuristics (which can be tuned or bypassed). 6) If you plan to trust this tool in CI, request a release/build that omits test fixtures and review the PATTERN_DEF_FILTER logic and allowlist policies. Overall: workable but exercise due diligence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1bzbefghwp63n1e40gm5cs81994x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, bash

Comments