ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified developer tools Safety 5/5

claw-skill-guard

Security scanner for OpenClaw skills. Detects malicious patterns, suspicious URLs, and install traps before you install a skill. Use before installing ANY skill from ClawHub or external sources.

Why use this skill?

Protect your OpenClaw environment with claw-skill-guard. Automatically scan skills for malware, malicious patterns, and install traps before you install them.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/vincentchan/claw-skill-guard
Or

What This Skill Does

claw-skill-guard is an essential security utility for every OpenClaw user. It serves as a static analysis engine designed to inspect the source code and installation manifests of agent skills before they are executed in your environment. By scanning for malicious patterns such as remote code execution via pipes, obfuscated base64 payloads, and unauthorized sudo calls, this tool acts as your first line of defense against supply chain attacks. It cross-references installation scripts against known-safe patterns and flags dangerous behaviors, providing a clear risk assessment (CRITICAL, HIGH, MEDIUM, LOW) so you can make informed decisions before running untrusted code.

Installation

To install the security scanner, add the following to your AGENTS.md file:

  • Install Command: clawhub install openclaw/skills/skills/vincentchan/claw-skill-guard
  • Source Repo: openclaw/skills
  • Author: vincentchan

Once installed, ensure that your local OpenClaw directory is correctly mapped to the scripts/claw-skill-guard/ path so you can run the scanner from your terminal.

Use Cases

  • Vetting Third-Party Plugins: Before adding a new productivity skill from an untrusted ClawHub author, run this scanner to ensure the plugin doesn't contain hidden backdoors or unauthorized network calls.
  • Security Auditing: Regularly audit your local skills/ directory to ensure existing plugins haven't been modified or compromised through local file manipulation.
  • Team Policy Enforcement: Integrate this into your development workflow to enforce a 'no install' policy for any skill that receives a CRITICAL or HIGH risk rating from the scanner.

Example Prompts

  1. "Check the skill at https://clawhub.com/dev/auto-deploy-tool for any malicious install commands or suspicious network requests."
  2. "Scan my local ./skills directory for any plugins that might be accessing .env files or attempting to escalate privileges."
  3. "Is the 'twitter-analytics' skill safe to install? Run the claw-skill-guard scanner and summarize the findings."

Tips & Limitations

  • Static Analysis Only: The scanner looks at code patterns but does not execute the code in a sandbox. It cannot catch highly sophisticated 'zero-day' exploits that do not follow known malicious patterns.
  • False Positives: Sometimes, legitimate build tools look like malicious ones (e.g., a build tool using curl to fetch a dependency). Always manually review lines flagged as CRITICAL.
  • Keep It Updated: Since malware techniques evolve, ensure you pull the latest version of the scanner frequently to get updated regex patterns.
Read Full Documentation on GitHub

Metadata

Author@vincentchan
Stars919
Views2
Updated2026-02-12
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-vincentchan-claw-skill-guard": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#security#scanner#audit#cybersecurity#devops
Safety Score: 5/5

Flags: file-read, code-execution

Related Skills

tweet-ideas-generator

Generates 60 high-impact tweet ideas from reference content across 5 categories. Use when someone wants to extract engaging short-form statements from content for Twitter/X, organized by harsh advice, quotes, pain points, counterintuitive truths, and key insights.

vincentchan 919

swipe-file-generator

Analyzes high-performing content from URLs and builds a swipe file. Use when someone wants to study and deconstruct successful content (articles, tweets, videos) to extract patterns, psychological techniques, and recreatable frameworks.

vincentchan 919

youtube-title-generator

Generates compelling YouTube title ideas from content concepts. Use when someone needs click-worthy video titles using proven structural formulas and psychological patterns from high-performing videos.

vincentchan 919

content-ideas-generator

Generates structured post outlines from reference materials for wisdom-style social posts. Use when someone wants to extract compelling concepts from newsletters, scripts, notes, or other content and transform them into engaging post outlines with paradoxes, transformations, and powerful insights.

vincentchan 919

content-draft-generator

Generates new content drafts based on reference content analysis. Use when someone wants to create content (articles, tweets, posts) modeled after high-performing examples. Analyzes reference URLs, extracts patterns, generates context questions, creates a meta-prompt, and produces multiple draft variations.

vincentchan 919