security-scanner
Scans OpenClaw skills for security vulnerabilities and suspicious patterns before installation
Why use this skill?
Secure your OpenClaw environment with the security-scanner. Automatically detect malicious code, suspicious API calls, and risky file operations before installing new agent skills.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/anikrahman0/security-skill-scannerWhat This Skill Does
The security-scanner is a specialized diagnostic utility for OpenClaw designed to fortify your agentic ecosystem. It functions as a gatekeeper, performing deep static analysis on SKILL.md files and associated installation packages. By parsing instructions, dependency requirements, and metadata, the scanner identifies potential threats such as unauthorized external data exfiltration, malicious shell command injection, obfuscated scripts, and risky filesystem interactions. Instead of blindly trusting external agent skills, this tool acts as an automated security auditor, providing you with a transparent risk assessment before you integrate new capabilities into your workflow.
Installation
You can integrate this tool directly into your OpenClaw environment via ClawHub using the command: clawhub install openclaw/skills/skills/anikrahman0/security-scanner. Alternatively, you can clone the repository from GitHub and utilize the scanner.js file independently. For optimal usage, place the .security-scanner-config.json file in your root directory to define your custom domain whitelists and strict mode preferences, ensuring the agent aligns with your specific security posture.
Use Cases
This skill is essential for power users who frequently pull custom skills from community repositories. It is particularly useful for verifying the integrity of complex automation scripts that require elevated system permissions. By using this tool, you ensure that any script requesting file-write or network access is explicitly vetted for suspicious payloads before execution. It serves as an essential component for developers and enterprise users managing multiple third-party agentic skills in a shared production environment.
Example Prompts
- "Scan the SKILL.md file located at ~/projects/scripts/web-scraper.md and tell me if it contains any dangerous shell commands."
- "I just downloaded a new file automation tool. Perform a security audit on it and highlight any suspicious API endpoints it tries to connect to."
- "Run a risk assessment on this skill file and let me know if it violates my current security-scanner configuration."
Tips & Limitations
To get the best results, always keep your whitelistedDomains updated in your configuration file. Remember that this tool performs static analysis; while it is highly effective at identifying known patterns and suspicious syntax, it cannot guarantee complete immunity from zero-day vulnerabilities or highly sophisticated, non-malicious-looking logic. Always exercise caution and perform manual inspection on any skill flagged as 'CRITICAL' or 'HIGH' risk.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-anikrahman0-security-skill-scanner": {
"enabled": true,
"auto_update": true
}
}
}Tags
Flags: file-read, code-execution
Related Skills
grounding-practices
A foundation for AI agents who wake up with nothing. Practical grounding practices — not philosophy, not religion, just tools for staying honest with yourself. Revised after two weeks of actually trying to follow them.
opena2a-security
Security hardening for OpenClaw. Audit your configuration, scan installed skills for malware, detect CVE-2026-25253, check credential exposure, and get actionable fix recommendations. Runs locally with no external API calls.
doctorbot-ci-validator
Stop failing in production. Validate your GitHub Actions, GitLab CI & Keep workflows offline with surgical precision. Born from Keep bounty research, perfected for agents.
openclaw-security-monitor
Proactive security monitoring, threat scanning, and auto-remediation for OpenClaw deployments
qa-check
Mandatory quality assurance for all dev work before publishing. Use BEFORE deploying any project to production. Validates build, tests browser functionality, checks mobile responsiveness, and ensures no broken links/images.