ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified

openclaw-skill-scanner

Security gate for OpenClaw AgentSkills. Scans folder/ClawHub skills with cisco-ai-defense/skill-scanner before installation. Supports manual scans, staged installs, and auto-quarantine of high-risk skills via systemd.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/jason-allen-oneal/skill-scanner-guard
Or

Skill Scanner Guard

Harden OpenClaw’s skill supply chain:

  • Scan skills with cisco-ai-defense/skill-scanner
  • Block only on High/Critical
  • Allow Medium/Low/Info but warn
  • Auto-scan on changes to ~/.openclaw/skills
  • Quarantine failing skills to ~/.openclaw/skills-quarantine

Quick start

Install skill-scanner (repo + uv env)

cd "$HOME/.openclaw/workspace"
# or wherever you keep repos

git clone https://github.com/cisco-ai-defense/skill-scanner
cd skill-scanner
CC=gcc uv sync --all-extras

Note: some environments try gcc-12 while building yara-python; forcing CC=gcc avoids that.

Workflows

1) Scan all user skills (manual)

User skills live at:

  • ~/.openclaw/skills

Run:

$HOME/.openclaw/skills/skill-scanner-guard/scripts/scan_openclaw_skills.sh

Outputs go to:

  • /home/rev/.openclaw/workspace/skill_scans/

2) Install a folder skill with scan gate (copy/clone workflow)

Use the wrapper instead of copying directly:

$HOME/.openclaw/skills/skill-scanner-guard/scripts/scan_and_add_skill.sh /path/to/skill-dir

Policy:

  • Block only if High/Critical exist (unless --force)
  • Still installs if only Medium/Low/Info exist, but prints a warning summary

3) Install from ClawHub with scan gate (staging install)

Install to a staging dir, scan, then copy into ~/.openclaw/skills only if allowed:

$HOME/.openclaw/skills/skill-scanner-guard/scripts/clawhub_scan_install.sh <slug>
# optionally
$HOME/.openclaw/skills/skill-scanner-guard/scripts/clawhub_scan_install.sh <slug> --version <version>

4) Auto-scan + quarantine on change (systemd user units)

Install the units (templates are in references/):

mkdir -p ~/.config/systemd/user
cp -a "$HOME/.openclaw/skills/skill-scanner-guard/references/openclaw-skill-scan."* ~/.config/systemd/user/

systemctl --user daemon-reload
systemctl --user enable --now openclaw-skill-scan.path

Behavior:

  • Any change under ~/.openclaw/skills/ triggers scripts/auto_scan_user_skills.sh
  • If High/Critical findings exist, the script moves failing skill directories to: ~/.openclaw/skills-quarantine/<skillname>-<timestamp>
  • Reports are written to: /home/rev/.openclaw/workspace/skill_scans/auto/

Inspect:

systemctl --user status openclaw-skill-scan.path
journalctl --user -u openclaw-skill-scan.service -n 100 --no-pager
ls -la ~/.openclaw/skills-quarantine

Bundled resources

scripts/

  • scan_openclaw_skills.sh: generate markdown reports for user + bundled skills
  • scan_and_add_skill.sh: scan candidate folder skill; install only if allowed
  • clawhub_scan_install.sh: stage-install from ClawHub, scan, then install
  • auto_scan_user_skills.sh: scan-all on ~/.openclaw/skills changes; quarantine High/Critical failures

references/

  • openclaw-skill-scan.path / openclaw-skill-scan.service: systemd --user path trigger units
Read Full Documentation on GitHub

Metadata

Author@jason-allen-oneal
Stars1947
Views0
Updated2026-03-04
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-jason-allen-oneal-skill-scanner-guard": {
      "enabled": true,
      "auto_update": true
    }
  }
}
Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.