🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

SkillGuard Scanner

by @msgnoki

Security scanner for OpenClaw/ClawHub skills. Detects malware, reverse shells, credential theft, prompt injection, memory poisoning, typosquatting, and suspicious prerequisites before installation. Use when installing new skills, auditing existing skills, checking a skill name for typosquatting, or scanning ClawHub skills for security risks.

Versionv1.1.0
Downloads1,774
Installs7
Stars⭐ 2
TERMINAL
clawhub install skillguard-scanner

πŸ“– About This Skill


name: skillguard version: 1.1.0 description: Security scanner for OpenClaw/ClawHub skills. Detects malware, reverse shells, credential theft, prompt injection, memory poisoning, typosquatting, and suspicious prerequisites before installation. Use when installing new skills, auditing existing skills, checking a skill name for typosquatting, or scanning ClawHub skills for security risks.

SkillGuard β€” Skill Security Scanner

Scan OpenClaw skills for security threats before they compromise your system.

Quick Start

Scan all installed skills

python3 {scripts}/scanner.py

Scan a single skill

python3 {scripts}/scanner.py --skill 

Check a skill name for typosquatting

python3 {scripts}/scanner.py --check-name 

Scan from ClawHub before installing

python3 {scripts}/scanner.py --fetch-clawhub 

What It Detects

Critical Threats

  • Reverse shells β€” nc -e, bash -i >& /dev/tcp, ncat, mkfifo
  • Code obfuscation β€” base64 -d | bash, eval(), exec() with encoded payloads
  • High Threats

  • Suspicious URLs β€” webhook.site, glot.io, ngrok.io, pastebin.com
  • Memory poisoning β€” Instructions to write to SOUL.md, MEMORY.md, AGENTS.md
  • Malicious prerequisites β€” Download instructions in docs (the ClawHavoc attack vector)
  • Medium Threats

  • Credential access β€” Patterns accessing .env, API keys, tokens, SSH keys
  • Data exfiltration β€” Outbound HTTP POST/PUT with sensitive data
  • Hardcoded IPs β€” Public IPs embedded in code
  • Typosquatting β€” Skill names similar to popular/known skills (Levenshtein ≀ 2)
  • Crypto wallet access β€” Seed phrases, private keys, wallet patterns
  • Low Threats

  • Shell execution β€” subprocess, os.system, child_process (common but worth noting)
  • Interpreting Results

    Risk Levels

  • πŸ”΄ CRITICAL (β‰₯50) β€” Do NOT install. Likely malicious.
  • 🟠 HIGH (25-49) β€” Review manually before installing. Multiple suspicious patterns.
  • 🟑 MEDIUM (10-24) β€” Some flags, likely false positives but worth checking.
  • 🟒 LOW (1-9) β€” Minor flags, generally safe.
  • βœ… CLEAN (0) β€” No issues detected.
  • False Positive Likelihood

    Each finding includes a FP estimate (low/medium/high):
  • low β€” Likely a real threat
  • medium β€” Could be legitimate, review context
  • high β€” Probably benign (e.g., security tool referencing attack patterns, search tool using fetch)
  • Workflow: Before Installing a Skill

    1. Run python3 {scripts}/scanner.py --fetch-clawhub (requires clawhub CLI) 2. Review the report β€” anything CRITICAL or HIGH with low FP = reject 3. If CLEAN or LOW only β†’ safe to install 4. If MEDIUM β†’ skim the flagged files manually

    Output

  • Console summary with emoji risk levels
  • JSON report saved to {baseDir}/../data/scan_results.json (configurable via --json-out)
  • Context: Why This Matters

    As of February 2026, 341 malicious skills were found on ClawHub (Koi Security / ClawHavoc campaign), distributing Atomic Stealer malware via fake prerequisites. OpenClaw has 512 known vulnerabilities (Kaspersky audit). There is no official skill vetting process. SkillGuard fills this gap.

    See references/threat-landscape.md for detailed background.

    πŸ’‘ Examples

    Scan all installed skills

    python3 {scripts}/scanner.py
    

    Scan a single skill

    python3 {scripts}/scanner.py --skill 
    

    Check a skill name for typosquatting

    python3 {scripts}/scanner.py --check-name 
    

    Scan from ClawHub before installing

    python3 {scripts}/scanner.py --fetch-clawhub