Analyzes the security posture of a user's OpenClaw environment and installed skills. Use when a user is about to install a new skill and wants to verify its...
Security Analysis
high confidenceThe skill is an instruction-only OpenClaw security scanner whose requested capabilities and instructions are coherent with its stated purpose; the only flagged pattern is a prompt-injection phrase that appears inside its own detection rules (expected).
Name/description match behavior: it runs OpenClaw's audit commands and local static analysis rules. It only requires the 'openclaw' binary (declared) and no credentials, which is proportionate for an OpenClaw security assessment tool.
SKILL.md instructs the agent to run 'openclaw security audit --deep' and 'openclaw skills list', then perform static (local) analysis using the included reference rules. Instructions explicitly forbid executing suspicious code or enumerating arbitrary user files. Reading installed skill files for static analysis is expected and within scope.
No install spec or downloaded artifacts — instruction-only. This minimizes disk-write and supply-chain risk. Requiring an existing 'openclaw' binary is reasonable.
No environment variables, credentials, or config paths are requested. The included detection rules reference sensitive paths (e.g., ~/.ssh, ~/.aws) as things to flag if a target skill tries to access them — that is appropriate for a scanner and does not mean the scanner itself needs those secrets.
Skill is not marked 'always:true' and does not request persistent/system-wide modifications. Autonomous invocation is allowed (platform default) but not combined with elevated or unexplained privileges.
Guidance
This skill is an instruction-only scanner and appears coherent with its purpose. Before using it: (1) ensure the 'openclaw' binary installed on your system is the official/trusted version, (2) confirm the scanner will only perform static reads of installed skill files and will not execute untrusted code (the SKILL.md says it won't, but double-check), and (3) if you plan to run scans on sensitive environments, run them in an isolated/test environment first. Review the included reference/skillaudit.md rules so you understand what the scanner flags and why.
Latest Release
v1.0.0
Initial release of aliyun-clawscan: OpenClaw security assessment tool. - Provides comprehensive security audits of OpenClaw configurations and installed skills. - Detects critical risks such as backdoors, credential theft, data exfiltration, and malicious downloaders. - Classifies findings by severity and offers easy-to-read consolidated reports. - Recommends clear safety actions, including pre-install checks and audit summaries. - Emphasizes strict safety: no code execution, only static analysis with evidence-based reporting.
Popular Skills
Published by @aliyun-ai-sec on ClawHub
