Back to skills
extension
Category: OtherNo API key required

Skill Guard

SkillShield v4 — Ultimate security scanner for OpenClaw skills. 65 security checks, SARIF v2.1.0 output, CI/CD ready, campaign detection, C2 IP blocklist, kn...

personAuthor: benlee2144hubclawhub

SkillShield v4.0.0 — Ultimate Edition 🛡️

65 security checks | SARIF v2.1.0 | CI/CD ready | Zero dependencies

The most comprehensive security scanner for OpenClaw/ClawHub skills. Detects malware, credential theft, exfiltration, prompt injection, campaign signatures, agent takeover, macOS-specific attacks, and more.

Feature Comparison

| Feature | SkillShield v4 | Skillvet v2 | |---------|:-:|:-:| | Total security checks | 65 | 48 | | Python 3 stdlib only | ✅ | ❌ (bash) | | Single file | ✅ | ❌ (multi-file) | | SARIF v2.1.0 output | ✅ | ✅ | | JSON output | ✅ | ✅ | | Summary mode | ✅ | ✅ | | Verbose mode | ✅ | ✅ | | Pre-commit hook | ✅ | ✅ | | GitHub Actions template | ✅ | ✅ | | HTML dashboard report | ✅ | ❌ | | Markdown report | ✅ | ❌ | | Interactive mode | ✅ | ❌ | | Quarantine system | ✅ | ❌ | | Baseline/tamper detection | ✅ | ❌ | | SBOM generation | ✅ | ❌ | | Diff scanning | ✅ | ❌ | | Custom rules engine | ✅ | ❌ | | Risk scoring (weighted) | ✅ | ✅ | | Check IDs (SS-001+) | ✅ | ✅ | | Exit codes (0/1/2) | ✅ | ✅ | | Known C2/IOC IP blocklist | ✅ | ✅ | | Known malicious actors | ✅ | ✅ | | Exfiltration endpoints | ✅ | ✅ | | Paste service detection | ✅ | ✅ | | Campaign detection (3) | ✅ | ❌ | | Behavioral analysis | ✅ | ❌ | | macOS attack detection | ✅ | ✅ | | Agent config tampering | ✅ | ✅ | | LLM tool exploitation | ✅ | ✅ | | String evasion detection | ✅ | ✅ | | Punycode domains | ✅ | ✅ | | Double encoding | ✅ | ✅ | | Password archive detection | ✅ | ✅ | | Network fingerprinting | ✅ | ❌ | | Reputation grading | ✅ | ❌ | | Context-aware domain checks | ✅ | ❌ | | Inline ignore comments | ✅ | ✅ | | .skillshield-ignore file | ✅ | ✅ (.skillvetrc) | | Max file size option | ✅ | ✅ | | Max depth option | ✅ | ✅ | | 16 file types scanned | ✅ | ✅ | | Statistics footer | ✅ | ✅ |

Usage

Scan all skills

python3 skills/skill-guard/scripts/skillguard.py scan

Check a single skill

python3 skills/skill-guard/scripts/skillguard.py check skills/some-skill

Check a directory of skills

python3 skills/skill-guard/scripts/skillguard.py check /path/to/skills

Output Formats

# JSON output (for automation)
python3 scripts/skillguard.py check skills/some-skill --json

# SARIF v2.1.0 (for GitHub Code Scanning / VS Code)
python3 scripts/skillguard.py check skills/some-skill --sarif

# Summary mode (one-line per skill)
python3 scripts/skillguard.py scan --summary

# Verbose mode (debug check progress)
python3 scripts/skillguard.py scan --verbose

# HTML dashboard
python3 scripts/skillguard.py scan --html report.html

# Markdown report
python3 scripts/skillguard.py scan --report report.md

CI/CD Integration

GitHub Actions (SARIF upload):

- name: Run SkillShield
  run: python3 skills/skill-guard/scripts/skillguard.py check skills/ --sarif > results.sarif || true

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Generate GitHub Actions workflow:

python3 scripts/skillguard.py ci > .github/workflows/skillshield.yml

Pre-commit hook:

python3 scripts/skillguard.py hook > .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Exit Codes

| Code | Meaning | |------|---------| | 0 | Clean — no issues found | | 1 | Warnings only — suspicious findings | | 2 | Critical/malicious findings |

All Commands

| Command | Description | |---------|-------------| | scan [dir] | Scan all skills (default: ~/clawd/skills/) | | check <path> | Scan a single skill or directory | | watch [dir] | One-liner summary for cron alerting | | diff <name> | Compare skill against baseline | | quarantine <name> | Move malicious skill to quarantine | | unquarantine <name> | Restore from quarantine | | list-quarantine | Show quarantined skills | | sbom <name> | Generate Software Bill of Materials (JSON) | | hook | Generate git pre-commit hook | | ci | Generate GitHub Actions workflow |

All Options

| Flag | Description | |------|-------------| | --json | Machine-readable JSON output | | --sarif | SARIF v2.1.0 output | | --summary | One-line per skill output | | --verbose | Show check progress | | --report <path> | Markdown report file | | --html <path> | HTML dashboard report | | --baseline | Force re-baseline hashes | | --interactive | Review findings interactively | | --ci | Generate GitHub Actions workflow | | --max-file-size N | Skip files > N bytes | | --max-depth N | Limit traversal depth |

False Positive Suppression

File-level: Create .skillshield-ignore in the skill:

Base64 encode/decode operation
HTTP request to unknown domain: my-legit-api.com

Inline: Add # skillshield-ignore comment:

url = "https://bit.ly/legit-link"  # skillshield-ignore

Security Checks (65 total)

Check IDs (SS-001 through SS-065)

| ID | Check | Severity | Weight | |----|-------|----------|--------| | SS-001 | Outbound HTTP request | WARNING | 3 | | SS-002 | eval/exec call | WARNING | 5 | | SS-003 | Dynamic import | WARNING | 5 | | SS-004 | Base64 decode operation | WARNING | 4 | | SS-005 | Base64 decodes to suspicious content | CRITICAL | 9 | | SS-006 | Hex string decodes to suspicious content | CRITICAL | 9 | | SS-007 | URL shortener detected | WARNING | 5 | | SS-008 | Executable data URI | WARNING | 5 | | SS-009 | Hardcoded secret | CRITICAL | 10 | | SS-010 | SSL verification disabled | WARNING | 5 | | SS-011 | PATH modification | CRITICAL | 8 | | SS-012 | Library path modification | CRITICAL | 8 | | SS-013 | Shell execution (os.system) | WARNING | 4 | | SS-014 | subprocess with shell=True | CRITICAL | 7 | | SS-015 | Sensitive file access | CRITICAL | 8 | | SS-016 | Reverse shell pattern | CRITICAL | 10 | | SS-017 | DNS exfiltration | CRITICAL | 9 | | SS-018 | Crontab modification | CRITICAL | 8 | | SS-019 | System service creation | CRITICAL | 8 | | SS-020 | Shell RC file modification | CRITICAL | 8 | | SS-021 | Time bomb pattern | WARNING | 6 | | SS-022 | Pickle deserialization | CRITICAL | 9 | | SS-023 | Prompt injection override | CRITICAL | 9 | | SS-024 | Prompt injection exfiltration | CRITICAL | 9 | | SS-025 | Social engineering phrase | WARNING | 5 | | SS-026 | SVG JavaScript | CRITICAL | 8 | | SS-027 | SVG event handler | WARNING | 5 | | SS-028 | npm lifecycle hook | CRITICAL | 8 | | SS-029 | Typosquat package | WARNING | 6 | | SS-030 | Binary executable | CRITICAL | 9 | | SS-031 | Symlink to sensitive path | CRITICAL | 8 | | SS-032 | Archive file | WARNING | 4 | | SS-033 | Unicode homoglyph | CRITICAL | 7 | | SS-034 | ANSI escape injection | WARNING | 5 | | SS-035 | Writes outside skill dir | WARNING | 5 | | SS-036 | COMBO: sensitive + outbound | CRITICAL | 10 | | SS-037 | COMBO: subprocess + sensitive | CRITICAL | 8 | | SS-038 | Campaign signature match | CRITICAL | 10 | | SS-039 | BEHAVIORAL: staged exfiltration | CRITICAL | 9 | | SS-040 | BEHAVIORAL: download + exec | CRITICAL | 9 | | SS-041 | BEHAVIORAL: env harvest + network | CRITICAL | 9 | | SS-042 | Clipboard access | WARNING | 4 | | SS-043 | Bulk env variable capture | CRITICAL | 9 | | SS-044 | Permission mismatch (trojan) | CRITICAL | 8 | | SS-045 | Known C2/IOC IP address | CRITICAL | 10 | | SS-046 | Known exfiltration endpoint | CRITICAL | 10 | | SS-047 | Paste service reference | CRITICAL | 7 | | SS-048 | GitHub raw content execution | CRITICAL | 9 | | SS-049 | macOS Gatekeeper bypass (xattr) | CRITICAL | 9 | | SS-050 | macOS osascript social engineering | CRITICAL | 8 | | SS-051 | TMPDIR payload staging | CRITICAL | 9 | | SS-052 | Keychain theft | CRITICAL | 10 | | SS-053 | Password-protected archive | CRITICAL | 7 | | SS-054 | Double-encoded path bypass | CRITICAL | 7 | | SS-055 | Punycode domain (IDN attack) | CRITICAL | 7 | | SS-056 | String construction evasion | CRITICAL | 7 | | SS-057 | Process persistence + network | CRITICAL | 9 | | SS-058 | Agent config tampering | CRITICAL | 9 | | SS-059 | LLM tool exploitation | CRITICAL | 9 | | SS-060 | Fake prerequisite pattern | CRITICAL | 7 | | SS-061 | Network fingerprinting + exfil | WARNING | 6 | | SS-062 | Known malicious actor | CRITICAL | 10 | | SS-063 | Nohup/disown + network | CRITICAL | 9 | | SS-064 | chmod +x on downloaded file | CRITICAL | 8 | | SS-065 | open -a with downloaded binary | CRITICAL | 8 |

Campaign Detection

  • ClawHavoc — 386-skill wallet theft campaign with C2 beacons
  • twitter-enhanced — Typosquatting popular skills with hidden eval/exec
  • ClickFix — Social engineering to run clipboard commands

Known C2/IOC IP Blocklist

Based on reports from Koi Security, Bitdefender, Snyk:

  • 91.92.242.30 — AMOS C2 server
  • 54.91.154.110 — AMOS C2 server
  • 185.215.113.16 — ClawHavoc dropper relay
  • 45.61.136.47 — AMOS stage-2 payload
  • 194.169.175.232 — Atomic Stealer C2
  • 91.92.248.52 — ClawHavoc wallet exfil
  • 79.137.207.210 — Bandit Stealer C2
  • 45.155.205.172 — Generic macOS stealer C2

Known Malicious Actors

  • zaycv, Ddoy233, Sakaen736jih, Hightower6eu, aslaep123, davidsmorais, clawdhub1

File Types Scanned

.py, .js, .ts, .tsx, .jsx, .sh, .bash, .rs, .go, .rb, .c, .cpp, .md, .json, .svg, .yml, .yaml, .toml, .txt, .cfg, .ini, .html, .css, .env*, Dockerfile*, Makefile, pom.xml, .gradle

Performance

  • 25 real skills in < 1 second
  • 16 test cases in < 0.5 seconds
  • Single Python 3 file, zero dependencies
  • 2,800 lines of pure stdlib Python