security-check
Security audit and inspection skill for Clawdbot skills. Use this when you need to check skills for security vulnerabilities before installation, perform regular security audits on installed skills, verify skill description matches actual behavior, scan for prompt injection attempts, check for hardcoded secrets or credentials, verify no malicious intent in skill code or documentation, review file access patterns for potential configuration or secrets exposure, or audit dependencies for known vulnerabilities. This skill provides automated scanning tools and manual security checklists for comprehensive skill security assessment.
Why use this skill?
Use the OpenClaw security-check skill to audit bot behaviors, detect prompt injection, scan for secrets, and ensure your installed skills are safe and secure.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/wolffan/security-check-skillWhat This Skill Does
The security-check skill serves as the primary defense mechanism for the OpenClaw ecosystem. It acts as a comprehensive security auditing suite designed to inspect, validate, and monitor skills before and during their lifecycle within your environment. By leveraging a combination of static analysis tools and structured manual checklists, this skill helps users identify malicious intent, prevent prompt injection attacks, detect hardcoded secrets, and verify that skill behavior aligns with its documented claims. It essentially provides a sandbox verification layer, ensuring that no malicious code or insecure configuration enters your Clawdbot environment.
Installation
To install this essential security utility, run the following command in your terminal:
clawhub install openclaw/skills/skills/wolffan/security-check-skill
Ensure you have the latest version of Clawhub and the necessary system permissions to execute scripts within the skill environment.
Use Cases
- Pre-installation vetting: Scanning new, untrusted skills from ClawdHub before execution.
- Scheduled Audits: Running automated, daily security scans on existing installations to detect regressions or compromised configurations.
- Vulnerability Assessment: Checking for hardcoded secrets such as API keys or environment variables accidentally included in source files.
- Compliance Verification: Ensuring that skills are not attempting unauthorized file system access or executing dangerous commands like
rm -rforeval. - Documentation Integrity: Verifying that the
SKILL.mdfile does not contain hidden instructions meant to bypass system prompts or manipulate model behavior.
Example Prompts
- "OpenClaw, run a full security check on the recently downloaded marketing-automation-tool and report any high severity issues."
- "Perform a deep audit on the installed 'file-sorter' skill, checking specifically for hardcoded API secrets and unauthorized network calls."
- "Is there any risk of prompt injection in the 'web-scraper' skill? Run the automated security scanner and let me know the findings."
Tips & Limitations
- Tip: Always prioritize the
HIGHseverity issues identified by the scanner; these usually indicate direct vulnerabilities or malicious intent. - Tip: Supplement automated scans with the manual checklist provided in
references/security-checklist.mdfor a defense-in-depth approach. - Limitation: The scanner cannot predict 100% of future 'zero-day' prompt injection techniques; always review external code with healthy skepticism.
- Limitation: While it checks for file access patterns, extremely obfuscated code may still require a manual code walkthrough.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-wolffan-security-check-skill": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution