scan-skill
Deep security analysis of an individual skill before installation
Why use this skill?
Safely install OpenClaw skills with the scan-skill tool. Automatically detect injection patterns, hidden commands, and malicious payloads before they hit your agent.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/itsnishi/scan-skillWhat This Skill Does
The scan-skill is a specialized security auditing tool designed specifically for the OpenClaw AI ecosystem. Its primary purpose is to perform a deep-dive, multi-layered inspection of individual agent skills before they are officially installed or executed. By acting as a secure gateway, the scan-skill scrutinizes the underlying architecture, manifest files, and hidden executable instructions of a target skill directory. It systematically hunts for known injection vectors, obfuscated malicious code, and dangerous command patterns that could compromise your agent's integrity. It goes beyond simple static analysis by reviewing SKILL.md frontmatter, checking for hidden imperative instructions tucked away in HTML comments, and detecting potential shell command injection vulnerabilities. Essentially, this tool acts as a dedicated security researcher that operates locally on your machine, ensuring that only verified and safe extensions are integrated into your OpenClaw environment.
Installation
Installing the scan-skill is straightforward and follows the standard OpenClaw repository convention. To add this tool to your local library, use the following terminal command:
clawhub install openclaw/skills/skills/itsnishi/scan-skill
Once installed, the script becomes available for direct execution. Ensure you have the necessary Python environment dependencies, as the scanner relies on a modular script structure to crawl and validate external directories efficiently.
Use Cases
- Vetting Third-Party Plugins: Before adding a skill authored by an external contributor to your primary workspace, use this scanner to ensure no hidden payloads exist.
- Security Auditing: Periodically scan your own installed skills to verify they have not been tampered with or do not contain legacy vulnerabilities that have since been identified by the community.
- Marketplace Review: For developers curating an agent library, this tool is essential for maintaining a high security standard for all included assets.
- Development Sandbox: Use it during the creation phase of your own skills to ensure you are following security best practices before publicizing your work.
Example Prompts
- "OpenClaw, please use scan-skill to analyze the directory at /home/user/downloads/new-plugin-project and show me the security report."
- "Run a full security audit on the skills in my current project folder using scan-skill, then highlight any findings with a severity level above 3."
- "scan-skill ./my-custom-agent-tool: check for any hardcoded API keys or suspicious shell invocations in the scripts folder."
Tips & Limitations
While the scan-skill is highly effective, it is not a replacement for human code review. It excels at identifying automated injection patterns but may struggle with highly sophisticated, logic-based exploits that disguise their true intent as valid functionality. Always treat the output of this scan as a diagnostic aid. If the tool identifies a high-severity flag, refrain from installing the target skill until a manual inspection by a developer has confirmed the findings. Regularly update your scan-skill to ensure the detection patterns stay synchronized with the latest emerging AI security threats.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-itsnishi-scan-skill": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution