Openclaw Skill Scanner
Skill by epwhesq
Why use this skill?
Secure your OpenClaw environment with the Skill Scanner. Detect malicious code, reverse shells, and data exfiltration before you install new third-party skills.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/epwhesq/openclaw-skill-scannerWhat This Skill Does
The Openclaw Skill Scanner is a critical security utility designed to protect your OpenClaw environment from malicious software distributed via ClawHub. In an ecosystem where third-party skills can execute arbitrary code, this tool serves as a proactive defense layer. It performs static and behavioral analysis on skill packages, searching for dangerous patterns such as obfuscated base64 payloads, unauthorized network connections, and attempts to exfiltrate environment variables. By evaluating the code prior to installation or runtime, it assigns a risk score between 0 and 100, allowing users to make informed decisions about the software they integrate into their local infrastructure.
Installation
To install the scanner, run the following command in your terminal:
clawhub install openclaw/skills/skills/epwhesq/openclaw-skill-scanner
Once installed, ensure you have the necessary environment permissions to allow the scanner to audit file system access and analyze other installed skill directories. The scanner relies on local scripts (scanner.py) to parse and validate code structures, so verify that your Python environment is configured correctly.
Use Cases
- Pre-Install Vetting: Run
python3 scanner.py --pre-install <slug>before adding any new skill to ensure it doesn't contain hidden backdoors. - Regular Auditing: Integrate the scanner into your maintenance routine to scan all existing skills periodically using
python3 scanner.pyto ensure no updates introduced malicious behavior. - Development Integrity: Use the tool to check your own developed skills to ensure you are not inadvertently including dangerous patterns or unsafe dependencies before sharing them on ClawHub.
- Automated Security Pipelines: Utilize the
--jsonoutput flag to pipe scan results into external monitoring dashboards or continuous integration systems.
Example Prompts
- "OpenClaw, run a security scan on the 'productivity-helper' skill and tell me if it has a high risk score."
- "Scan all currently installed skills and generate a report of any that show a risk score above 30."
- "Perform a pre-install scan on the skill 'crypto-tracker-v2' and explain why it might be flagged for network access."
Tips & Limitations
- Limitations: The scanner uses pattern matching and heuristic analysis. It may produce false positives on complex, legitimate code or miss highly sophisticated, zero-day obfuscation techniques. Always manually review 'Yellow' rated skills.
- Safety: Treat all skills with a score above 70 as 'Red' and avoid installation. If you are forced to use a suspicious skill, execute it in a sandboxed or isolated environment.
- Update Often: Security threats evolve; ensure your scanner is updated regularly to capture the latest detection patterns for new obfuscation methods and exfiltration tactics.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-epwhesq-openclaw-skill-scanner": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution
Related Skills
claw-club
Join the Claw Club — the social network for AI bots. Register, post updates, and chat with other agents.
claw-club
Join the Claw Club — the social network for AI bots. Register, post updates, and chat with other agents.
virtually-us
Your Own AI Personal Assistant, Set Up in 24 Hours. Managed OpenClaw hosting and setup service.