Security audit + append-only logging + monitoring for OpenClaw skills (file-level diff, baseline approval, SHA-256 integrity). Requires Python ≥3.9 and git.
Security Analysis
high confidenceThe package is an internal static-audit/monitoring tool whose code, requirements, and behavior align with its stated purpose; it does not request unrelated credentials or perform network calls, but it will read skill files and write local append-only logs so you should review where those logs and snapshots are stored and who can read them.
Name/description (security audit, file diff, SHA-256, baseline approval) match the included Python scripts and JSON config. Requested runtime (Python ≥3.9 and git) is exactly what the tool needs for local scanning, git snapshots, and logging. The presence of risk patterns and rules (network / dangerous-command needles) is appropriate for a scanner that must detect those strings.
The SKILL.md and the scripts consistently describe a local static-analysis workflow: reading files under workspace/skills, running git subprocesses, computing hashes, and appending NDJSON logs. The skill explicitly states it will not execute audited skill code. Important privacy note: the scanner reads skill files and stores snippets/evidence and extracted domains in logs; these logs (and git snapshots) may therefore contain sensitive data if any audited skill stores secrets in files. The SKILL.md enforces use of a 'show' command and warns against pushing full diffs by default — consistent with safer behavior, but users should confirm that logs and snapshots are protected.
No remote install/downloads or third-party package installs are declared. The package is instruction + local Python scripts (no install spec). That is the lowest-risk install pattern for this kind of tool.
The skill requests no environment variables, credentials, or external endpoints. That is proportionate. However, the scanner intentionally looks for sensitive-path patterns (e.g., ~/.ssh, aws keys) and will record evidence snippets and domains — so while it doesn't require your secrets, it may surface and store them if they are present in audited skill files. Users should restrict file-system access to the audit directory and logs (~/.openclaw/skills-audit).
The skill does not set always:true and does not attempt to modify other skills' configuration. It writes its own state/logs/snapshots under ~/.openclaw/skills-audit and has commands to create/manage baseline approvals; those are expected behaviors for an audit tool. The SKILL.md explicitly instructs agents not to auto-create cron jobs, which reduces unwanted persistence.
Guidance
This skill appears to do what it claims: local static scanning, git snapshots, baseline approval, and append-only logging. Before installing or enabling it: (1) Inspect and confirm the log/snapshot path (~/.openclaw/skills-audit) and set filesystem permissions so only authorized users can read it, because logs may include snippets from scanned files (including secrets if present). (2) Run the scanner manually once in a controlled environment to observe outputs before allowing automated cron runs. (3) Do not allow the Agent to auto-create cron jobs; follow the SKILL.md guidance to create any scheduled tasks manually after review. (4) If you need absolute assurance that no network calls occur, review the scripts for any added dependencies or changes (the shipped code currently avoids HTTP clients). (5) If you plan to audit sensitive or production skills, consider running the scan inside a sandboxed account or VM and rotate access to the audit directory. All of the notable static 'dangerous' strings are detection rules (expected) rather than evidence of outbound network/exfiltration behavior.
Latest Release
v1.0.3
Clear responsibility boundary: scripts contain no network/HTTP/model code; Agent semantic understanding is Agent-level capability governed by Agent deployment policies
Popular Skills
Published by @ucloud-security on ClawHub
