skills-audit
Audit locally installed agent skills for security/policy issues using the SkillLens CLI (`skilllens scan`, `skilllens config`). Use when asked to scan a skills directory (Codex/Claude) and produce a risk-focused audit report based on each skill's `SKILL.md` and bundled resources.
Why use this skill?
Use the Skills Audit tool to scan and secure your OpenClaw agent environment, detect malicious code, and prevent unauthorized access with automated security reports.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/morozred/skill-auditWhat This Skill Does
The Skills Audit skill is a security-focused utility designed to maintain the integrity of your OpenClaw agent environment. It leverages the SkillLens CLI to perform deep inspections of locally installed agent skills. By auditing SKILL.md files, bundled resource directories, and configuration manifests, it identifies potential security threats before they can be executed by your agent. This skill acts as an automated gatekeeper, systematically uncovering risks ranging from unauthorized network exfiltration to dangerous shell execution patterns. It provides a structured workflow for auditing, ranking, and remediating vulnerabilities within your custom skill collection.
Installation
You can integrate this tool into your environment using the following command:
clawhub install openclaw/skills/skills/morozred/skill-audit
For the underlying scanner functionality, ensure you have the SkillLens CLI installed:
- For one-off use:
npx skilllens scan - For a global installation:
pnpm add -g skilllens
Use Cases
- Security Hardening: Periodically scan your
~/.codex/skillsdirectory to ensure third-party skills have not been compromised or updated with malicious code. - Pre-deployment Review: When downloading new skills from untrusted or community sources, use this tool to vet the code before allowing the OpenClaw agent to load them.
- Policy Enforcement: Audit skills to ensure they adhere to local data handling policies, specifically looking for attempts to exfiltrate environment variables or access sensitive system files like SSH keys or browser cookies.
Example Prompts
- "Perform a security audit on all my currently installed skills and generate a risk report for anything marked suspicious."
- "Scan the directory ~/.codex/skills for any potential exfiltration risks and recommend changes to isolate those skills."
- "Audit my skills directory and force a re-scan of everything; provide a list of any skills that require manual review due to missing signatures."
Tips & Limitations
- Manual Review is Essential: While this skill automates the detection of potential issues, it cannot fully understand intent. Always manually inspect code in
scripts/orassets/folders if the auditor flags them. - Scope Management: Always define a specific path for the scan to reduce processing time and minimize false positives.
- Permissions: Ensure the user running the scan has read access to the target skill directories.
- Verdict Accuracy: Treat any 'skipped' or 'unknown' status as a high-priority manual review item rather than assuming the skill is safe.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-morozred-skill-audit": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution