skillguard
Security scanner for ClawHub skills. Vet third-party skills before installation — detect dangerous patterns, suspicious code, and risky dependencies.
Why use this skill?
Secure your OpenClaw agent by scanning third-party skills for malicious code, risky dependencies, and security vulnerabilities before installation.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/g0head/clawscanWhat This Skill Does
SkillGuard serves as an essential security sentinel for the OpenClaw ecosystem, acting as a gatekeeper between unverified third-party code and your local environment. Because the ClawHub platform allows open submissions without centralized moderation, users are exposed to supply chain attacks, data exfiltration, and arbitrary code execution. SkillGuard performs static analysis on skill repositories, identifying high-risk patterns such as unsafe shell invocations, hardcoded credential access, and malicious subprocess spawning. By vetting code before installation, it protects your system, environment variables, and local data from compromise.
Installation
To install the scanner, use the ClawHub CLI: clawhub install clawscan. Alternatively, clone the repository directly from the G0HEAD GitHub organization. Ensure you have Python 3.8+ installed on your system. Navigate to the directory and ensure execute permissions are set on the main script via chmod +x scripts/skillguard.py. Integration with your local shell environment is recommended for immediate access to auditing commands.
Use Cases
Use SkillGuard when you intend to install any third-party skill from an untrusted or unknown developer. It is also invaluable for developers who maintain their own skills, allowing them to perform automated security audits to ensure their code doesn't accidentally trigger security warnings. Furthermore, users can use it to perform bulk audits of their existing environments to ensure no dormant, malicious skills are present.
Example Prompts
- "SkillGuard, please scan the repo at ./my-new-skill and tell me if it tries to access any of my hidden configuration files or environment variables."
- "Run an audit of all currently installed skills on my system and generate a summary report of any suspicious dependencies detected."
- "Check the skill 'random-utility-tool' for any dangerous shell execution patterns or potential command injection vulnerabilities before I decide to install it."
Tips & Limitations
Always run scans in a clean environment if you suspect a skill is intentionally obfuscated. Note that SkillGuard is primarily a static analysis tool; while it is highly effective at catching known dangerous patterns and signature-based threats, it cannot execute the code to observe its runtime behavior. Consequently, it may struggle with highly polymorphic or deeply obfuscated code. It is best used as a first line of defense in a layered security strategy, and you should always perform a manual code review for any skill that asks for elevated system permissions.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-g0head-clawscan": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution
Related Skills
kicad-pcb
Automate PCB design with KiCad. Create schematics, design boards, export Gerbers, order from PCBWay. Full design-to-manufacturing pipeline.
tokenguard
API cost guardian for AI agents. Track spending, enforce limits, prevent runaway costs. Essential for any agent making paid API calls.