Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Security Analysis
medium confidenceThe skill is coherent with its stated purpose (a static skill scanner) and doesn't request credentials, but running the included Python scanner code executes third‑party code and the repository uses many 'noscan' markers (which can hide content from other scanners), so proceed with caution.
Name/description align with the shipped assets: scripts/scan.py and scripts/advanced_checks.py implement static rules, entropy checks, payload decoding, dependency checks, and scanning of package.json/requirements — all reasonable for a skill scanner. No unrelated env vars, binaries, or install hooks are requested.
SKILL.md instructs the agent/user to run the supplied Python scanner against a local skill folder (python3 scripts/scan.py <skill-path>). That instruction is within scope, but it means the agent/operator will execute code included with the skill (the scanner itself). The scanner will read many files inside the target skill (package.json, requirements, source files) and perform decoding and AST/static checks — expected, but requires executing the scanner code on your environment.
No install spec provided (instruction-only meta plus Python scripts). No external downloads or install actions are declared. This minimizes supply-chain install risk, but executing the included Python files still runs third-party code.
The skill requests no environment variables or credentials (proportionate). However, the scanner's rules explicitly look for credential access patterns in target code (e.g., os.environ, process.env) — which is appropriate for a scanner. Important: the scanner will be executed locally, so it will have whatever filesystem and runtime privileges the executor provides; no additional credentials are required by the skill itself.
Flags show always:false and user-invocable:true; the skill does not request persistent/automatic inclusion or system-wide config changes. There are no install scripts or persistent agents declared.
Guidance
This package appears to be a legitimate static scanner, but you must treat the scanner code as untrusted third‑party code because running it will execute Python on your system. Before running it: (1) review scripts/advanced_checks.py and scripts/scan.py for use of exec/eval, subprocess calls, or network-sending code; (2) run the scanner only in an isolated environment (docker container, VM) with no network access and limited filesystem permissions; (3) search the files for dynamic execution patterns (eval/exec, subprocess/os.system), long encoded strings, or hardcoded endpoints; (4) note the many '# noscan' markers used in the code — these can hide lines from other scanners and merit a manual review of the surrounding code; (5) prefer scanner copies from a known/trusted source (official homepage or repo) rather than an unknown origin; and (6) if you only need static scanning, consider running a minimal, well-audited scanner instead of executing unfamiliar full-featured scripts. If you want, I can highlight specific lines to inspect or extract suspicious patterns from the source files for a focused review.
Latest Release
v2.1.0
12-layer security scanner for AI agent skills. Detects credential theft, prompt injection, malicious dependencies.
More by @HugoSbl
Published by @HugoSbl on ClawHub
