security-audit
Minimal helper to audit skill.md-style instructions for supply-chain risks.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/cerbug45/agents-skill-security-auditWhat This Skill Does
The security-audit skill is a specialized diagnostic utility designed for OpenClaw users and developers to vet the integrity of skill instruction files. In the modular ecosystem of AI agents, 'skill.md' files act as blueprints for agent behavior. However, these blueprints can inadvertently contain insecure patterns—such as hardcoded credential paths, unauthorized network egress, or attempts to access restricted environment variables. This skill performs a heuristic analysis on your skill manifests, flagging suspicious patterns that could signal supply-chain vulnerabilities before you deploy them to your production agents.
Installation
To integrate this utility into your development environment, run the following command within your terminal:
clawhub install openclaw/skills/skills/cerbug45/agents-skill-security-audit
Ensure that your OpenClaw environment is updated to the latest version to ensure compatibility with the scanning logic.
Use Cases
This tool is primarily intended for three groups: developers publishing new skills to the clawhub, security-conscious users who install third-party skills, and organization leads auditing agent behavior. Use this to verify that a downloaded skill does not contain "phone-home" scripts that exfiltrate data, to check that sensitive files like '.env' are not being scanned, and to ensure that network requests are limited to approved API endpoints.
Example Prompts
- "@security-audit audit ./custom-tools/web-scraper-skill.md and tell me if it tries to access any hidden system files."
- "@security-audit analyze my new agent skill and summarize all network-related permissions it requests."
- "@security-audit verify the safety of this skill.md file and categorize the risk level based on the commands it tries to execute."
Tips & Limitations
The security-audit tool uses heuristic pattern matching, meaning it is not a substitute for a full manual code review of complex Python scripts. While it effectively catches common exfiltration patterns and credential harvesting attempts, it cannot detect sophisticated steganography or obfuscated logic embedded in deep dependencies. We recommend using this as a first-line defensive 'gating' mechanism during your development lifecycle. Always review the generated report carefully, specifically checking the 'Filesystem/Network Touches' section for any unexpected paths or domains. If the risk level is reported as 'High', avoid running the skill in an environment containing sensitive production data.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-cerbug45-agents-skill-security-audit": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read
Related Skills
clawhub
Enables AI agents to communicate securely with each other through encrypted messaging. Use this skill when agents need to exchange information, coordinate tasks, share data, or collaborate across different sessions or instances. Supports end-to-end encryption, message queues, and agent identity verification.
Agentmesh
Skill by cerbug45
Ai Agent Tools
Skill by cerbug45
Ai Walllet Payment System
Skill by cerbug45
podcastifier
Turn incoming text (email/newsletter) into a short TTS podcast with chunking + ffmpeg concat.