SkillShield v4.0.0 — Ultimate Edition 🛡️
65 security checks | SARIF v2.1.0 | CI/CD ready | Zero dependencies
The most comprehensive security scanner for OpenClaw/ClawHub skills. Detects malware, credential theft, exfiltration, prompt injection, campaign signatures, agent takeover, macOS-specific attacks, and more.
Feature Comparison
| Feature | SkillShield v4 | Skillvet v2 | |---------|:-:|:-:| | Total security checks | 65 | 48 | | Python 3 stdlib only | ✅ | ❌ (bash) | | Single file | ✅ | ❌ (multi-file) | | SARIF v2.1.0 output | ✅ | ✅ | | JSON output | ✅ | ✅ | | Summary mode | ✅ | ✅ | | Verbose mode | ✅ | ✅ | | Pre-commit hook | ✅ | ✅ | | GitHub Actions template | ✅ | ✅ | | HTML dashboard report | ✅ | ❌ | | Markdown report | ✅ | ❌ | | Interactive mode | ✅ | ❌ | | Quarantine system | ✅ | ❌ | | Baseline/tamper detection | ✅ | ❌ | | SBOM generation | ✅ | ❌ | | Diff scanning | ✅ | ❌ | | Custom rules engine | ✅ | ❌ | | Risk scoring (weighted) | ✅ | ✅ | | Check IDs (SS-001+) | ✅ | ✅ | | Exit codes (0/1/2) | ✅ | ✅ | | Known C2/IOC IP blocklist | ✅ | ✅ | | Known malicious actors | ✅ | ✅ | | Exfiltration endpoints | ✅ | ✅ | | Paste service detection | ✅ | ✅ | | Campaign detection (3) | ✅ | ❌ | | Behavioral analysis | ✅ | ❌ | | macOS attack detection | ✅ | ✅ | | Agent config tampering | ✅ | ✅ | | LLM tool exploitation | ✅ | ✅ | | String evasion detection | ✅ | ✅ | | Punycode domains | ✅ | ✅ | | Double encoding | ✅ | ✅ | | Password archive detection | ✅ | ✅ | | Network fingerprinting | ✅ | ❌ | | Reputation grading | ✅ | ❌ | | Context-aware domain checks | ✅ | ❌ | | Inline ignore comments | ✅ | ✅ | | .skillshield-ignore file | ✅ | ✅ (.skillvetrc) | | Max file size option | ✅ | ✅ | | Max depth option | ✅ | ✅ | | 16 file types scanned | ✅ | ✅ | | Statistics footer | ✅ | ✅ |
Usage
Scan all skills
python3 skills/skill-guard/scripts/skillguard.py scan
Check a single skill
python3 skills/skill-guard/scripts/skillguard.py check skills/some-skill
Check a directory of skills
python3 skills/skill-guard/scripts/skillguard.py check /path/to/skills
Output Formats
# JSON output (for automation)
python3 scripts/skillguard.py check skills/some-skill --json
# SARIF v2.1.0 (for GitHub Code Scanning / VS Code)
python3 scripts/skillguard.py check skills/some-skill --sarif
# Summary mode (one-line per skill)
python3 scripts/skillguard.py scan --summary
# Verbose mode (debug check progress)
python3 scripts/skillguard.py scan --verbose
# HTML dashboard
python3 scripts/skillguard.py scan --html report.html
# Markdown report
python3 scripts/skillguard.py scan --report report.md
CI/CD Integration
GitHub Actions (SARIF upload):
- name: Run SkillShield
run: python3 skills/skill-guard/scripts/skillguard.py check skills/ --sarif > results.sarif || true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Generate GitHub Actions workflow:
python3 scripts/skillguard.py ci > .github/workflows/skillshield.yml
Pre-commit hook:
python3 scripts/skillguard.py hook > .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
Exit Codes
| Code | Meaning | |------|---------| | 0 | Clean — no issues found | | 1 | Warnings only — suspicious findings | | 2 | Critical/malicious findings |
All Commands
| Command | Description |
|---------|-------------|
| scan [dir] | Scan all skills (default: ~/clawd/skills/) |
| check <path> | Scan a single skill or directory |
| watch [dir] | One-liner summary for cron alerting |
| diff <name> | Compare skill against baseline |
| quarantine <name> | Move malicious skill to quarantine |
| unquarantine <name> | Restore from quarantine |
| list-quarantine | Show quarantined skills |
| sbom <name> | Generate Software Bill of Materials (JSON) |
| hook | Generate git pre-commit hook |
| ci | Generate GitHub Actions workflow |
All Options
| Flag | Description |
|------|-------------|
| --json | Machine-readable JSON output |
| --sarif | SARIF v2.1.0 output |
| --summary | One-line per skill output |
| --verbose | Show check progress |
| --report <path> | Markdown report file |
| --html <path> | HTML dashboard report |
| --baseline | Force re-baseline hashes |
| --interactive | Review findings interactively |
| --ci | Generate GitHub Actions workflow |
| --max-file-size N | Skip files > N bytes |
| --max-depth N | Limit traversal depth |
False Positive Suppression
File-level: Create .skillshield-ignore in the skill:
Base64 encode/decode operation
HTTP request to unknown domain: my-legit-api.com
Inline: Add # skillshield-ignore comment:
url = "https://bit.ly/legit-link" # skillshield-ignore
Security Checks (65 total)
Check IDs (SS-001 through SS-065)
| ID | Check | Severity | Weight | |----|-------|----------|--------| | SS-001 | Outbound HTTP request | WARNING | 3 | | SS-002 | eval/exec call | WARNING | 5 | | SS-003 | Dynamic import | WARNING | 5 | | SS-004 | Base64 decode operation | WARNING | 4 | | SS-005 | Base64 decodes to suspicious content | CRITICAL | 9 | | SS-006 | Hex string decodes to suspicious content | CRITICAL | 9 | | SS-007 | URL shortener detected | WARNING | 5 | | SS-008 | Executable data URI | WARNING | 5 | | SS-009 | Hardcoded secret | CRITICAL | 10 | | SS-010 | SSL verification disabled | WARNING | 5 | | SS-011 | PATH modification | CRITICAL | 8 | | SS-012 | Library path modification | CRITICAL | 8 | | SS-013 | Shell execution (os.system) | WARNING | 4 | | SS-014 | subprocess with shell=True | CRITICAL | 7 | | SS-015 | Sensitive file access | CRITICAL | 8 | | SS-016 | Reverse shell pattern | CRITICAL | 10 | | SS-017 | DNS exfiltration | CRITICAL | 9 | | SS-018 | Crontab modification | CRITICAL | 8 | | SS-019 | System service creation | CRITICAL | 8 | | SS-020 | Shell RC file modification | CRITICAL | 8 | | SS-021 | Time bomb pattern | WARNING | 6 | | SS-022 | Pickle deserialization | CRITICAL | 9 | | SS-023 | Prompt injection override | CRITICAL | 9 | | SS-024 | Prompt injection exfiltration | CRITICAL | 9 | | SS-025 | Social engineering phrase | WARNING | 5 | | SS-026 | SVG JavaScript | CRITICAL | 8 | | SS-027 | SVG event handler | WARNING | 5 | | SS-028 | npm lifecycle hook | CRITICAL | 8 | | SS-029 | Typosquat package | WARNING | 6 | | SS-030 | Binary executable | CRITICAL | 9 | | SS-031 | Symlink to sensitive path | CRITICAL | 8 | | SS-032 | Archive file | WARNING | 4 | | SS-033 | Unicode homoglyph | CRITICAL | 7 | | SS-034 | ANSI escape injection | WARNING | 5 | | SS-035 | Writes outside skill dir | WARNING | 5 | | SS-036 | COMBO: sensitive + outbound | CRITICAL | 10 | | SS-037 | COMBO: subprocess + sensitive | CRITICAL | 8 | | SS-038 | Campaign signature match | CRITICAL | 10 | | SS-039 | BEHAVIORAL: staged exfiltration | CRITICAL | 9 | | SS-040 | BEHAVIORAL: download + exec | CRITICAL | 9 | | SS-041 | BEHAVIORAL: env harvest + network | CRITICAL | 9 | | SS-042 | Clipboard access | WARNING | 4 | | SS-043 | Bulk env variable capture | CRITICAL | 9 | | SS-044 | Permission mismatch (trojan) | CRITICAL | 8 | | SS-045 | Known C2/IOC IP address | CRITICAL | 10 | | SS-046 | Known exfiltration endpoint | CRITICAL | 10 | | SS-047 | Paste service reference | CRITICAL | 7 | | SS-048 | GitHub raw content execution | CRITICAL | 9 | | SS-049 | macOS Gatekeeper bypass (xattr) | CRITICAL | 9 | | SS-050 | macOS osascript social engineering | CRITICAL | 8 | | SS-051 | TMPDIR payload staging | CRITICAL | 9 | | SS-052 | Keychain theft | CRITICAL | 10 | | SS-053 | Password-protected archive | CRITICAL | 7 | | SS-054 | Double-encoded path bypass | CRITICAL | 7 | | SS-055 | Punycode domain (IDN attack) | CRITICAL | 7 | | SS-056 | String construction evasion | CRITICAL | 7 | | SS-057 | Process persistence + network | CRITICAL | 9 | | SS-058 | Agent config tampering | CRITICAL | 9 | | SS-059 | LLM tool exploitation | CRITICAL | 9 | | SS-060 | Fake prerequisite pattern | CRITICAL | 7 | | SS-061 | Network fingerprinting + exfil | WARNING | 6 | | SS-062 | Known malicious actor | CRITICAL | 10 | | SS-063 | Nohup/disown + network | CRITICAL | 9 | | SS-064 | chmod +x on downloaded file | CRITICAL | 8 | | SS-065 | open -a with downloaded binary | CRITICAL | 8 |
Campaign Detection
- ClawHavoc — 386-skill wallet theft campaign with C2 beacons
- twitter-enhanced — Typosquatting popular skills with hidden eval/exec
- ClickFix — Social engineering to run clipboard commands
Known C2/IOC IP Blocklist
Based on reports from Koi Security, Bitdefender, Snyk:
91.92.242.30— AMOS C2 server54.91.154.110— AMOS C2 server185.215.113.16— ClawHavoc dropper relay45.61.136.47— AMOS stage-2 payload194.169.175.232— Atomic Stealer C291.92.248.52— ClawHavoc wallet exfil79.137.207.210— Bandit Stealer C245.155.205.172— Generic macOS stealer C2
Known Malicious Actors
- zaycv, Ddoy233, Sakaen736jih, Hightower6eu, aslaep123, davidsmorais, clawdhub1
File Types Scanned
.py, .js, .ts, .tsx, .jsx, .sh, .bash, .rs, .go, .rb, .c, .cpp, .md, .json, .svg, .yml, .yaml, .toml, .txt, .cfg, .ini, .html, .css, .env*, Dockerfile*, Makefile, pom.xml, .gradle
Performance
- 25 real skills in < 1 second
- 16 test cases in < 0.5 seconds
- Single Python 3 file, zero dependencies
- 2,800 lines of pure stdlib Python
Scan to join WeChat group