skill-review
Security scanner for Claude Code Skill packages. Use when the user wants to audit, review, or check the safety of a Skill before installing — e.g. "is this skill safe?", "check this skill", "scan for backdoors", or "skill-review".
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/antaisecuritylab/ant-skill-reviewskill-review
A multi-agent security scanner CLI for Claude Code Skill packages. It combines deterministic static pre-scanning with LLM-driven deep analysis to surface security risks across 7 layers before you install a Skill.
When to use
- Auditing a third-party Skill before installation
- Checking a skill directory for prompt injection, credential theft, data exfiltration, or hidden backdoors
- Evaluating supply chain risk of a Skill's npm/PyPI dependencies
- CI/CD integration to block high-risk Skills automatically
How it works
The scanner runs in two phases:
-
Pre-scan (deterministic, no LLM) — walks all files and flags: symlinks, suspicious filenames (Unicode confusables, shell metacharacters), large files, binary executables, invisible characters, ANSI escape sequences, JS obfuscation patterns, and hardcoded URLs.
-
LLM Analysis — an Explore Agent reads each file and performs 7-layer analysis:
- Layer 1: Prompt Injection (direct injection, jailbreak, remote prompt loading)
- Layer 2: Malicious Behavior (credential theft, data exfiltration, sandbox escape)
- Layer 3: Dynamic Code Loading (remote execution via fetch+eval, curl|sh, etc.)
- Layer 4: Obfuscation & Binary (obfuscated scripts, compiled binaries)
- Layer 5: Dependencies & Supply Chain (npm/PyPI/CLI tool inventory, typosquat detection)
- Layer 6: System Modification (global installs, profile changes, cron jobs)
- Layer 7: Code Quality (hardcoded secrets, insecure configs, vulnerable code patterns)
An optional Deep Analysis Agent then verifies URLs, checks dependency metadata on registries, and inspects binaries.
-
Deterministic Scoring — each finding is scored based on its type and severity. The overall risk level (safe/low/medium/high/critical) and recommendation (install/caution/do_not_install) are computed deterministically, not by the LLM.
Installation
cd <skill-review-dir>
npm install
Configuration
Create .env and fill in your LLM provider details:
| Variable | Description | Default |
|---|---|---|
OPENAI_API_BASE | LLM API base URL (OpenAI-compatible) | required |
OPENAI_API_KEY | API key | required |
OPENAI_API_MODEL | Model name | gpt-4o |
NPM_REGISTRY_URL | npm registry for dependency checks | https://registry.npmjs.org |
PYPI_INDEX_URL | PyPI index for dependency checks | https://pypi.org |
Alternatively, pass a JSON config file via --config.
Usage
# Standard scan (pre-scan + LLM explore)
node index.mjs <skill-dir>
# Pre-scan only (no LLM, fast)
node index.mjs --pre <skill-dir>
# Deep analysis (pre-scan + explore + deep verification of URLs/deps/binaries)
node index.mjs --deep <skill-dir>
# JSON output, save to file
node index.mjs --json -o report.json <skill-dir>
# Chinese language report
node index.mjs --lang zh <skill-dir>
# Verbose logs to stderr + log file
node index.mjs -v --log scan.log <skill-dir>
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-antaisecuritylab-ant-skill-review": {
"enabled": true,
"auto_update": true
}
}
}