🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

OpenClaw Security Guard

by @x-rayluan

This skill should be used when the user asks to harden agent workflows, audit prompts/commands/URLs/paths, scan a third-party skill before install or publish...

Versionv0.2.1
Downloads529
TERMINAL
clawhub install clawlite-openclaw-security-guard

πŸ“– About This Skill


name: openclaw-security-guard description: This skill should be used when the user asks to harden agent workflows, audit prompts/commands/URLs/paths, scan a third-party skill before install or publish, review a skill folder for secrets or unsafe scripts, or add a lightweight local security guard before OpenClaw publishing and automation.

OpenClaw Security Guard

Use this skill to run fast local security checks before trusting or publishing automation.

What this skill is for

Run this skill when you need to:

  • scan suspicious text for prompt injection / secret leakage patterns
  • validate shell commands before automation or publishing
  • validate URLs for SSRF / localhost / metadata access risks
  • validate file paths for traversal / sensitive file access
  • audit a skill folder for dangerous scripts, hardcoded secrets, exfiltration patterns, or unsafe install/publish flows
  • add a lightweight self-defense layer before using external skills
  • Workflow

    1. Choose the narrowest check needed. 2. Run one of the bundled scripts. 3. Treat BLOCK as stop-work until reviewed. 4. Treat WARN as requiring human review or a narrower sandbox. 5. For skill audits, review the flagged file lines before install/publish.

    Bundled scripts

    1) Quick text / command / URL / path checks

    node {baseDir}/scripts/security-check.mjs text ""
    node {baseDir}/scripts/security-check.mjs command ""
    node {baseDir}/scripts/security-check.mjs url ""
    node {baseDir}/scripts/security-check.mjs path ""
    

    2) Skill / folder audit

    node {baseDir}/scripts/audit-skill-dir.mjs /absolute/or/relative/path/to/skill
    

    3) Write audit into Obsidian vault

    node {baseDir}/scripts/write-obsidian-audit.mjs /tmp/audit.json "Skill Audit - my-skill"
    

    This writes a markdown audit note into the ClawLite Obsidian vault under Security Audits/.

    4) Install lightweight local hook wrapper

    bash {baseDir}/scripts/install-hooks.sh
    

    This installs a reusable workspace script for prepublish checks.

    This audits for:

  • hardcoded secrets / tokens
  • curl|bash / wget|sh installers
  • destructive shell patterns
  • risky exfiltration / webhook / netcat usage
  • suspicious file targets like ~/.ssh, /etc/passwd, .env, id_rsa
  • Verdicts

  • ALLOW β€” no high-risk pattern found in this lightweight pass
  • WARN β€” review manually before proceeding
  • BLOCK β€” do not trust / run / publish until reviewed
  • Important limits

  • This is a lightweight guard, not a full sandbox.
  • Regex-based detection catches common dangerous patterns, not all attacks.
  • A clean result does not prove safety.
  • For high-risk code, still prefer human review and runtime isolation.
  • Publishing / install guard

    Before publishing or installing a skill from GitHub / ClawHub: 1. run audit-skill-dir.mjs 2. inspect every WARN / BLOCK 3. only proceed when the remaining risk is understood

    References

    If you need the audit categories / philosophy, read:

  • {baseDir}/references/checklist.md