SkillGuard — Skill Security Scanner

Scan OpenClaw skills for security threats before they compromise your system.

Quick Start

Scan all installed skills

python3 {scripts}/scanner.py

Scan a single skill

python3 {scripts}/scanner.py --skill <skill-name>

Check a skill name for typosquatting

python3 {scripts}/scanner.py --check-name <name>

Scan from ClawHub before installing

python3 {scripts}/scanner.py --fetch-clawhub <skill-name>

What It Detects

Critical Threats

• Reverse shells — nc -e, bash -i >& /dev/tcp, ncat, mkfifo
• Code obfuscation — base64 -d | bash, eval(), exec() with encoded payloads

High Threats

• Suspicious URLs — webhook.site, glot.io, ngrok.io, pastebin.com
• Memory poisoning — Instructions to write to SOUL.md, MEMORY.md, AGENTS.md
• Malicious prerequisites — Download instructions in docs (the ClawHavoc attack vector)

Medium Threats

• Credential access — Patterns accessing .env, API keys, tokens, SSH keys
• Data exfiltration — Outbound HTTP POST/PUT with sensitive data
• Hardcoded IPs — Public IPs embedded in code
• Typosquatting — Skill names similar to popular/known skills (Levenshtein ≤ 2)
• Crypto wallet access — Seed phrases, private keys, wallet patterns

Low Threats

• Shell execution — subprocess, os.system, child_process (common but worth noting)

Interpreting Results

Risk Levels

• 🔴 CRITICAL (≥50) — Do NOT install. Likely malicious.
• 🟠 HIGH (25-49) — Review manually before installing. Multiple suspicious patterns.
• 🟡 MEDIUM (10-24) — Some flags, likely false positives but worth checking.
• 🟢 LOW (1-9) — Minor flags, generally safe.
• ✅ CLEAN (0) — No issues detected.

False Positive Likelihood

• low — Likely a real threat
• medium — Could be legitimate, review context
• high — Probably benign (e.g., security tool referencing attack patterns, search tool using fetch)

Workflow: Before Installing a Skill

• Run python3 {scripts}/scanner.py --fetch-clawhub (requires clawhub CLI)
• Review the report — anything CRITICAL or HIGH with low FP = reject
• If CLEAN or LOW only → safe to install
• If MEDIUM → skim the flagged files manually

Output

• Console summary with emoji risk levels
• JSON report saved to {baseDir}/../data/scan_results.json (configurable via --json-out)

Context: Why This Matters

As of February 2026, 341 malicious skills were found on ClawHub (Koi Security / ClawHavoc campaign), distributing Atomic Stealer malware via fake prerequisites. OpenClaw has 512 known vulnerabilities (Kaspersky audit). There is no official skill vetting process. SkillGuard fills this gap.

See references/threat-landscape.md for detailed background.