skill-scanner
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/bvinci1-design/skill-scannerWhat This Skill Does
The skill-scanner is a robust security audit tool designed specifically for the Clawdbot and MCP (Model Context Protocol) ecosystem. As the landscape of AI agents expands, the risk of installing malicious plugins or compromised skills increases. This utility acts as a proactive security layer, scanning local skill directories for hidden threats. It parses code to identify malicious patterns such as crypto-miners, unauthorized data exfiltration routines, suspicious system modification attempts, and backdoors. By utilizing signature-based detection and heuristic analysis, it flags obfuscated code that might otherwise bypass human review. It is an essential component for any developer or power user who integrates third-party tools into their AI agent workflow.
Installation
To integrate this security tool, use the Clawhub CLI. Ensure your environment is set up for OpenClaw development, then execute the following command in your terminal:
clawhub install openclaw/skills/skills/bvinci1-design/skill-scanner
Once installed, the tool functions as a standalone script or an integrated agent capability. For a graphical interface, install the optional frontend dependency via pip install streamlit, then run streamlit run streamlit_ui.py to launch the security dashboard.
Use Cases
- Pre-deployment Verification: Use this tool whenever you download a new skill from an untrusted or public repository to ensure it adheres to security best practices.
- Regular System Audits: Run periodic scans on your active
skills/folder to detect unauthorized changes or potential vulnerabilities introduced by automated updates. - Development Security: Use it during your own skill development phase to ensure your code does not contain insecure patterns or accidental data leakage paths.
- Forensic Analysis: If an agent behaves unexpectedly, run this scanner to check for known malicious code signatures that may have compromised your local agent environment.
Example Prompts
- "Scan the recently installed web-scraper skill for any potential data exfiltration threats using skill-scanner."
- "Perform a deep security audit on the python-data-processor skill and provide a summary of your findings."
- "Is there any obfuscated code or crypto-mining logic inside the newly downloaded finance-bot skill? Please check it with skill-scanner."
Tips & Limitations
- Limitations: No security scanner is 100% effective. While this tool excels at catching known patterns and suspicious syntax, it may struggle with highly sophisticated, polymorphic malware designed to evade static analysis. Always use your best judgment when granting skills extensive system permissions.
- Updates: Ensure you keep the skill-scanner updated to receive the latest threat signature definitions.
- Environment: The scanner is most effective when run on the root directory of the skill to ensure all sub-modules are evaluated. Use the CLI version for automated CI/CD pipeline integration.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-bvinci1-design-skill-scanner": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution