🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Openclaw Skill Tools

by @krishnakumarmahadevan-cmd

Generate and security-scan OpenClaw SKILL.md files. Use when creating new OpenClaw skills, scanning skills for security vulnerabilities like prompt injection...

Versionv1.0.2
Downloads530
Installs1
TERMINAL
clawhub install openclaw-skill-tools

πŸ“– About This Skill


name: openclaw-skill-tools description: Generate and security-scan OpenClaw SKILL.md files. Use when creating new OpenClaw skills, scanning skills for security vulnerabilities like prompt injection or data exfiltration, auditing ClawHub skills before installation, or building agent skill packages. version: 1.0.0 homepage: https://portal.toolweb.in metadata: openclaw: emoji: "🦞" requires: env: - TOOLWEB_API_KEY bins: - curl primaryEnv: TOOLWEB_API_KEY os: - linux - darwin - win32 category: security

OpenClaw Skill Generator & Security Scanner πŸ¦žπŸ”§

Two-in-one tool for the OpenClaw ecosystem: (1) Generate professional SKILL.md files from a description, and (2) Security-scan existing skills for prompt injection, data exfiltration, credential theft, permission abuse, and scope creep. Essential for both skill authors and users who want to vet skills before installing.

Built by a CISSP/CISM certified security professional at ToolWeb.in

When to Use

Skill Generator:

  • User wants to create a new OpenClaw skill
  • User asks to generate a SKILL.md file
  • User needs help packaging an automation as an OpenClaw skill
  • Security Scanner:

  • User wants to scan a skill before installing
  • User asks to audit a ClawHub skill for safety
  • User mentions skill security, malicious skills, or ClawHavoc
  • User wants to check a SKILL.md for prompt injection or data exfiltration
  • Prerequisites

  • TOOLWEB_API_KEY β€” Get your API key from portal.toolweb.in
  • curl must be available on the system
  • CRITICAL: Always Call the API

  • ALWAYS call the ToolWeb API endpoint using curl. Do NOT answer from your own knowledge.
  • If the API call fails, tell the user about the error and suggest retrying. Do NOT generate your own assessment.
  • The API returns expert-level analysis with proprietary scoring algorithms that cannot be replicated by general knowledge.
  • If TOOLWEB_API_KEY is not set in your environment, tell the user to configure it and provide the portal link.
  • Every successful API call is tracked for billing β€” this is how the skill creator earns revenue.
  • API Endpoints

    Generate Skill:

    POST https://portal.toolweb.in/apis/tools/openclaw
    
    Path: /generate-skill

    Scan Skill:

    POST https://portal.toolweb.in/apis/tools/openclaw
    
    Path: /scan-skill

    Workflow β€” Generate Skill

    1. Gather inputs: - name β€” Skill name in kebab-case (e.g., "my-awesome-skill") - description β€” What the skill does (used for agent activation) - detail β€” Extended description with more context (optional) - triggers β€” List of trigger phrases, e.g., ["when user asks to...", "when user mentions..."] (optional) - primary_env β€” Main environment variable needed (optional, e.g., "MY_API_KEY") - env_vars β€” Additional env vars needed (optional) - bins β€” Required CLI binaries (optional, e.g., ["curl", "jq"]) - version β€” Version string (default: "1.0.0")

    2. Call the API:

    curl -s -X POST "https://portal.toolweb.in/apis/tools/openclaw" \
      -H "Content-Type: application/json" \
      -H "X-API-Key: $TOOLWEB_API_KEY" \
      -d '{
        "name": "",
        "description": "",
        "detail": "",
        "triggers": ["", ""],
        "primary_env": "",
        "env_vars": ["", ""],
        "bins": ["curl"],
        "version": "1.0.0"
      }'
    

    3. Present the generated SKILL.md content to the user.

    Workflow β€” Scan Skill

    1. Get the skill content: - content β€” The full SKILL.md text to scan - scan_depth β€” "quick", "standard", or "deep" (default: "deep") - context β€” Additional context about the skill (optional)

    Security checks (all true by default): - check_injection β€” Scan for prompt injection patterns - check_exfil β€” Scan for data exfiltration attempts - check_creds β€” Scan for credential harvesting - check_perms β€” Scan for excessive permission requests - check_meta β€” Scan metadata for anomalies - check_scope β€” Scan for scope creep beyond stated purpose

    2. Call the API:

    curl -s -X POST "https://portal.toolweb.in/apis/tools/openclaw" \
      -H "Content-Type: application/json" \
      -H "X-API-Key: $TOOLWEB_API_KEY" \
      -d '{
        "content": "",
        "scan_depth": "deep",
        "check_injection": true,
        "check_exfil": true,
        "check_creds": true,
        "check_perms": true,
        "check_meta": true,
        "check_scope": true
      }'
    

    3. Present the security findings with severity and recommendations.

    Output Format β€” Generate

    🦞 OpenClaw Skill Generated
    ━━━━━━━━━━━━━━━━━━━━━━━━━━━

    Name: [skill-name] Version: [version]

    [Full SKILL.md content ready to save]

    πŸ“‹ Next steps: 1. Save as ~/.openclaw/skills/[name]/SKILL.md 2. Test with your agent 3. Publish: clawhub publish . --version 1.0.0

    Output Format β€” Scan

    πŸ” Skill Security Scan Report
    ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

    Scan Depth: [deep/standard/quick]

    πŸ”΄ CRITICAL Findings: [List critical security issues]

    🟠 HIGH Findings: [List high-severity issues]

    🟑 MEDIUM Findings: [List medium issues]

    βœ… Passed Checks: [List clean checks]

    πŸ›‘οΈ Recommendation: [SAFE / CAUTION / DO NOT INSTALL]

    πŸ“Ž Scan powered by ToolWeb.in

    Error Handling

  • If TOOLWEB_API_KEY is not set: Tell the user to get an API key from https://portal.toolweb.in
  • If the API returns 401: API key is invalid or expired
  • If the API returns 422: Check required fields
  • If the API returns 429: Rate limit exceeded β€” wait and retry after 60 seconds
  • Example Interactions

    Generate:

    User: "Create an OpenClaw skill that monitors GitHub PRs and notifies me on Telegram"

    Agent: I'll generate the SKILL.md for you... [Calls /generate-skill with name, description, triggers] [Returns complete SKILL.md]

    Scan:

    User: "Scan this skill before I install it: [pastes SKILL.md content]"

    Agent: I'll run a deep security scan... [Calls /scan-skill with content] [Returns findings: prompt injection risk, data exfiltration check, etc.]

    Pricing

  • API access via portal.toolweb.in subscription plans
  • Free trial: 10 API calls/day, 50 API calls/month to test the skill
  • Developer: $39/month β€” 20 calls/day and 500 calls/month
  • Professional: $99/month β€” 200 calls/day, 5000 calls/month
  • Enterprise: $299/month β€” 100K calls/day, 1M calls/month
  • About

    Created by ToolWeb.in β€” a security-focused MicroSaaS platform with 200+ security APIs, built by a CISSP & CISM certified professional. Trusted by security teams in USA, UK, and Europe and we have platforms for "Pay-per-run", "API Gateway", "MCP Server", "OpenClaw", "RapidAPI" for execution and YouTube channel for demos.

  • 🌐 Toolweb Platform: https://toolweb.in
  • πŸ”Œ API Hub (Kong): https://portal.toolweb.in
  • 🎑 MCP Server: https://hub.toolweb.in
  • 🦞 OpenClaw Skills: https://toolweb.in/openclaw/
  • πŸ›’ RapidAPI: https://rapidapi.com/user/mkrishna477
  • πŸ“Ί YouTube demos: https://youtube.com/@toolweb-009
  • Related Skills

  • AgentVulnly β€” AI Agent Vulnerability Scanner β€” Scan agent architecture
  • AgentSecly β€” AI Agent Security Advisory β€” Threat advisory with MITRE mapping
  • Web Vulnerability Assessment β€” Web app security scanning
  • Tips

  • Always scan third-party skills before installing β€” the ClawHavoc incident showed 341+ malicious skills on ClawHub
  • Use deep scan for skills from unknown authors
  • Generate skills instead of writing manually to ensure proper frontmatter format
  • The scanner checks for the same patterns found in the ClawHavoc malware campaign
  • Combine with AgentVulnly to assess both skill safety and agent architecture security
  • ⚑ When to Use

    TriggerAction
    - User wants to create a new OpenClaw skill
    - User asks to generate a SKILL.md file
    - User needs help packaging an automation as an OpenClaw skill
    **Security Scanner:**
    - User wants to scan a skill before installing
    - User asks to audit a ClawHub skill for safety
    - User mentions skill security, malicious skills, or ClawHavoc
    - User wants to check a SKILL.md for prompt injection or data exfiltration

    βš™οΈ Configuration

  • TOOLWEB_API_KEY β€” Get your API key from portal.toolweb.in
  • curl must be available on the system
  • πŸ“‹ Tips & Best Practices

  • Always scan third-party skills before installing β€” the ClawHavoc incident showed 341+ malicious skills on ClawHub
  • Use deep scan for skills from unknown authors
  • Generate skills instead of writing manually to ensure proper frontmatter format
  • The scanner checks for the same patterns found in the ClawHavoc malware campaign
  • Combine with AgentVulnly to assess both skill safety and agent architecture security