Scan to join WeChat group⚡ Frisk
Frisk is a local-first security scanner for ClawHub skills. It runs 7 autonomous checks against 9 live threat intelligence feeds and returns a structured verdict — pass, warn, or fail — before you install.
Unlike instruction-card security skills that tell agents what to look for, Frisk actually runs the checks: dependency lookups against CISA KEV and OSV, credential scanning with Gitleaks, malware pattern matching with YARA, IOC matching against ThreatFox/URLhaus/MalwareBazaar/Feodo, behavioral analysis for eval and injection patterns, and prompt injection detection in SKILL.md files.
All scanning is offline. No telemetry. No phone-home. No data leaves your machine.
When to use
- Before installing a skill from ClawHub — verify it is safe
- Before publishing your own skills — catch issues early
- When reviewing skills for your team or organization
- As part of CI/CD or pipeline validation
- When you want to verify a skill is safe before trusting it with your environment
- Any time an agent encounters an untrusted skill and needs a security check
Quick start
frisk scan weather-forecast # Scan by ClawHub slug
frisk scan ./my-skill # Scan a local skill directory
frisk scan ./my-skill --checks dep-scan,secret-scan
frisk scan ./my-skill --json # JSON output for pipelines
First run sets up a Python venv and syncs threat intel automatically. After that, scanning works with zero configuration.
How it works
Frisk downloads the skill to a sandboxed 0700 temp directory, strips execute bits from all files, suppresses npm install scripts, runs all enabled checks against the local intel cache, produces a structured JSON report with findings, and cleans up the downloaded skill.
Exit codes: 0 = pass, 1 = warn, 2 = fail
Checks
| Check | What it does | |-------|-------------| | dep-scan | Cross-references dependencies against CISA KEV and OSV databases | | static-analysis | Runs Semgrep rules for security anti-patterns (offline, no phone-home) | | secret-scan | Scans for hardcoded API keys, tokens, and credentials using Gitleaks | | yara-scan | Matches files against YARA rules for malware patterns | | ioc-match | Matches IPs, domains, URLs, and file hashes against ThreatFox, URLhaus, MalwareBazaar, and Feodo Tracker | | behavioral | Detects eval usage, shell injection, data exfiltration vectors, DNS tunneling | | prompt-inject | Detects prompt injection and instruction-hiding patterns in SKILL.md |
Threat intel sources (9)
CISA KEV, OSV (npm + PyPI), EPSS, MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker, YARA Rules, Semgrep Rules
Run frisk sync to refresh the intel cache. First scan auto-syncs if no cache exists.
Parameters
When an agent invokes this skill through OpenClaw:
- target (required) — Local directory path or ClawHub skill slug. If a slug is given, the skill is downloaded to a sandboxed temp directory, scanned, and removed.
- checks (optional) — Comma-separated list:
dep-scan,static-analysis,secret-scan,yara-scan,ioc-match,behavioral,prompt-inject. Default: all 7. - json (optional) — Output results as JSON for programmatic use.
Security and Privacy
- No telemetry, no phone-home, no analytics. All scanning is local.
- During scan, zero network requests. All intel is read from the local cache.
- During sync, only public threat intel feeds are contacted. No skill code or scan targets are ever transmitted externally.
- Slug scans are sandboxed: 0700 temp dir, execute bits stripped, npm scripts suppressed, cleaned up after scanning.
Local files
- Read:
~/.frisk/intel/(threat intel cache), skill directory passed as target - Written:
~/.frisk/intel/,~/.frisk/reports/,~/.frisk/venv/,~/.frisk/frisk.log - First sync downloads approximately 50-100 MB of threat intel data
Install
npm install -g @lowwattlabs/frisk
Or let OpenClaw install it via the skill install spec above.
License
MIT-0