isnad-scan
Scan AI agent skills for security vulnerabilities — detects code injection, prompt injection, credential exfiltration, supply chain attacks, and 69+ threat patterns. Use when installing new skills, auditing existing ones, reviewing untrusted code, or validating packages before publishing.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/0xrapi/isnad-scanWhat This Skill Does
isnad-scan is a comprehensive security auditing tool designed specifically for the AI agent ecosystem. As AI agents gain the ability to execute code and interact with sensitive APIs, the risk of supply chain attacks, prompt injection, and credential theft grows exponentially. This skill acts as a defensive shield, scanning local skill directories and packages against a database of over 69 distinct threat patterns. It evaluates code for dangerous constructs like unauthorized shell execution, hardcoded sensitive keys, and potential filesystem traversal vulnerabilities. By integrating isnad-scan into your development workflow, you ensure that every skill—whether downloaded from a public repository or written locally—is thoroughly vetted before execution.
Installation
To add the isnad-scan utility to your local OpenClaw agent environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/0xrapi/isnad-scan
Once installed, the utility is available as a command-line tool. You can verify the installation by running isnad-scan --help to view available configuration options and output formats.
Use Cases
- Vetting Third-Party Skills: Before installing any skill from an untrusted or public source, run
isnad-scanon the directory to ensure it doesn't contain malicious logic, such as data exfiltration or reverse shells. - CI/CD Integration: Incorporate the tool into your GitHub Actions or automated pipelines. By using the
--jsonflag, you can fail builds that return a CRITICAL severity finding. - Post-Update Auditing: Whenever you pull updates for your installed skill set, perform an audit to ensure that new code commits haven't introduced security regressions or malicious payloads.
- Security Research: Analyze existing codebases to map out potential attack surfaces or to verify compliance with organizational security policies regarding safe coding practices.
Example Prompts
- "OpenClaw, please run a security audit on my newly downloaded skill directory at ./skills/web-scraper-beta and provide a summary of the findings."
- "Scan the directory ./skills/ai-assistant-v2 and perform a full audit including CVE dependency checks, outputting the results in verbose mode."
- "Check if there are any critical vulnerabilities in the './skills/data-processor' directory and alert me if the scan reveals any hardcoded credentials or network exfiltration patterns."
Tips & Limitations
While isnad-scan is a powerful tool for catching known patterns and common attack vectors, it is not a substitute for manual code review. It performs static analysis; therefore, it may struggle with highly obfuscated or dynamically generated code that hides its true intent. Always combine isnad-scan with a "zero-trust" mindset: keep your API keys in secure, environment-specific vaults rather than hardcoding them, and never run untrusted code with elevated system privileges. For critical production environments, consider running isnad-scan in an isolated container or virtualized sandbox to further mitigate risk. Always keep your isnad-scan database updated to ensure protection against the latest reported threat signatures.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-0xrapi-isnad-scan": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution