ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified developer tools Safety 5/5

clawhub-skill-scanner

Security gatekeeper for skill installations. MANDATORY before installing any skill from ClawHub, GitHub, or external sources. Performs deep code analysis to detect malicious patterns, credential access, data exfiltration, command injection, and other security risks. Triggers: "install skill", "clawhub install", "new skill", "add skill", "skill from". Always run this BEFORE installation.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/amir-ag/clawhub-skill-scanner
Or

What This Skill Does

The clawhub-skill-scanner acts as an essential security gatekeeper for the OpenClaw ecosystem. Designed to mitigate risks posed by malicious code injections—specifically following the ClawHavoc threat landscape—this utility performs a deep, automated static analysis of any local skill directory before it is integrated into your environment. It systematically parses source code to identify dangerous patterns such as reverse shells, unauthorized credential access to sensitive files (like .ssh or .env), malicious command execution via curl | bash pipelines, and suspicious attempts at data exfiltration. By assigning a quantifiable risk score, the scanner informs users whether a skill is safe to execute or poses a threat to system integrity.

Installation

To integrate this security layer into your agent, use the following command: clawhub install openclaw/skills/skills/amir-ag/clawhub-skill-scanner

Ensure this is installed in your base environment before adding any third-party plugins. You can verify the installation by checking the path: scripts/scan_skill.py inside your local OpenClaw folder.

Use Cases

This skill is intended for every OpenClaw user, especially those who frequently experiment with community-contributed automation scripts. Use it before:

  • Integrating a new skill downloaded from an unverified GitHub repository.
  • Running clawhub install for any external or third-party plugin.
  • Importing custom Python modules that interact with the local filesystem or execute shell commands.
  • Auditing existing legacy skills to ensure they comply with updated security policies.

Example Prompts

  1. "OpenClaw, please run the scanner on the folder ~/downloads/experimental-scraper before I attempt to install it."
  2. "Scan the skill in /home/user/skills/ai-bot-v2 and let me know if it gets a safety score higher than 20."
  3. "Clawhub, perform a full security audit on this directory and only proceed with installation if the code is marked as safe."

Tips & Limitations

While the scanner is highly effective at detecting known malicious patterns and obfuscated code, it is a static analysis tool. It cannot predict behavior in complex, multi-stage, or runtime-generated payloads. Always treat high-risk scores as a hard stop. Even if a skill passes, be cautious when granting permissions to new plugins. Keep the scanner updated to ensure it recognizes the latest threat patterns identified by the security community.

Read Full Documentation on GitHub

Metadata

Author@amir-ag
Stars4473
Views0
Updated2026-05-01
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-amir-ag-clawhub-skill-scanner": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#security#cybersecurity#audit#developer-tools#safe-coding
Safety Score: 5/5

Flags: file-read, code-execution