skulk-skill-scanner
Scan OpenClaw skill folders for security red flags before installing or publishing. Detects data exfiltration, credential theft, prompt injection, destructive commands, obfuscation, privilege escalation, and supply chain risks. Use when: evaluating a skill from ClawHub before install, auditing your own skills before publishing, or reviewing any SKILL.md for safety. NOT for: general code review or vulnerability scanning of non-skill codebases.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/adainthelab/skulk-skill-scannerWhat This Skill Does
The skulk-skill-scanner is a specialized security tool designed for the OpenClaw ecosystem. It acts as a static analysis engine that scrutinizes OpenClaw skill directories to identify potentially malicious patterns before they are executed. By parsing source code, manifest files, and local dependencies, the scanner looks for red flags such as unauthorized data exfiltration, attempts to access credentials, malicious prompt injection vectors, and destructive shell commands. It serves as an essential gatekeeper for any user looking to integrate third-party functionality into their agent.
Installation
You can install this tool directly using the OpenClaw Hub CLI. Run the following command in your terminal:
clawhub install openclaw/skills/skills/adainthelab/skulk-skill-scanner
Use Cases
- Safety Auditing: Run this against a new skill downloaded from the community to verify it does not contain hidden network calls or obfuscated code.
- Pre-Publishing Verification: If you are a developer, use this to scan your own projects to ensure you haven't accidentally left sensitive code patterns before sharing your work on ClawHub.
- CI/CD Integration: Integrate the scanner into your automated build pipelines using the
--jsonor--summaryflags. Since the tool returns an exit code of 1 on failure, it is perfect for stopping insecure code from ever reaching a deployment stage.
Example Prompts
- "Scan the folder ./skills/community-analytics-tool and let me know if it attempts to access my environment variables."
- "Run a silent check on my ./skills/my-new-plugin and output the results in JSON format for my report."
- "Audit the local skill at ./skills/web-scraper using the verbose flag so I can review every rule triggered by the static analyzer."
Tips & Limitations
Always remember that this scanner relies on pattern matching. While it is excellent at detecting known exploit signatures, it is not a silver bullet against advanced, runtime-based threats or highly sophisticated social engineering. Treat this as your primary layer of defense, but keep a cautious eye on any skill requesting high-level system permissions. If a skill achieves a 'Warn' or 'Fail' score, refrain from installing it until you have manually inspected the codebase. Finally, remember to regularly update the SAFE_DOMAINS array within the script to ensure your legitimate network requests aren't incorrectly flagged.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-adainthelab-skulk-skill-scanner": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution
Related Skills
auth-guard
Standardize API credential handling and startup auth checks to prevent "missing key" regressions across sessions. Use when an agent repeatedly loses auth state, gets intermittent 401/403 errors after restarts, relies on ad-hoc curl calls, or needs a reusable auth-first pattern for HEARTBEAT.md/AGENTS.md and helper scripts.
skulk-email
Email via DreamHost — read inbox, send email, search messages. Send works from any VPS (including DigitalOcean) by routing through DreamHost's Roundcube webmail over HTTPS, bypassing SMTP port blocks. Optionally read a shared Gmail inbox via IMAP. Use when: sending email, checking inbox, reading messages, or setting up email for an agent. Dependencies: python3, curl, jq (must be installed on the host). Credentials: DreamHost mailbox email+password stored at ~/.config/skulk-email/credentials.json (user must create this file manually before use; see Setup). No third-party services or API keys needed.