clauwdit
Security auditor for AI agent skills. Scans SKILL.md files for prompt injection, data exfiltration, obfuscation, and dangerous capability combinations.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/4worlds4w-svg/clauwditWhat This Skill Does
Clauwdit is an essential security hardening tool designed for the OpenClaw ecosystem. It functions as a specialized static security analyzer that performs automated threat modeling on SKILL.md documentation files. Before you grant an AI agent permissions or execute its logic, Clauwdit inspects the instruction sets, code blocks, and configuration metadata for malicious patterns. It identifies classic attack vectors like prompt injection, sophisticated Unicode homoglyph evasion techniques, and covert data exfiltration attempts. By parsing the structure of your markdown files, it differentiates between helpful security documentation and actual executable risk, providing you with an objective trust score between 0 and 100. This empowers developers and users alike to make informed decisions about the provenance and safety of third-party agent skills.
Installation
To integrate Clauwdit into your local OpenClaw environment, ensure you have the OpenClaw CLI properly configured, then execute the following command in your terminal:
clawhub install openclaw/skills/skills/4worlds4w-svg/clauwdit
Once installed, you can trigger the auditor by passing a skill identifier or a raw file path directly to the tool. For programmatic usage, the service provides an API endpoint at https://clauwdit.4worlds.dev/audit, allowing you to integrate security scanning into your CI/CD pipelines or automated agent deployment workflows.
Use Cases
- Pre-Installation Auditing: Run Clauwdit on new, unverified skills found on the hub before allowing them access to your system environment.
- Enterprise Compliance: Integrate the audit API into your organization's deployment gates to ensure only skills with a trust score above 80 can be installed by your internal agent fleet.
- Skill Development: Use Clauwdit during the development lifecycle to ensure your own skills don't inadvertently include insecure coding patterns or excessive capability requests.
Example Prompts
- "@clauwdit audit the skill at openclaw/skills/some-new-plugin and tell me if it requests suspicious shell permissions."
- "@clauwdit scan this local file: ./my-experimental-skill/SKILL.md and identify any potential data exfiltration risks."
- "@clauwdit, why did this skill receive a score of 55? Please explain the compound threats detected."
Tips & Limitations
- Contextual Awareness: Clauwdit is highly effective at identifying code-based threats within fenced code blocks, but it relies on well-formatted markdown. Ensure your SKILL.md follows standard documentation structures for the most accurate results.
- Static Analysis: Remember that Clauwdit is a static analysis tool. It cannot predict dynamic runtime behaviors triggered by external, non-deterministic inputs. Always use it as a first line of defense, not the final word in security.
- False Positives: While 60+ detection patterns minimize noise, complex or highly custom agent logic might occasionally trigger warnings. Treat "Moderate" scores as a signal to perform a manual review of the skill's code blocks.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-4worlds4w-svg-clauwdit": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: network-access, code-execution