✓ Verified
💻 Development
✓ Enhanced Data
Yoder Skill Auditor
The definitive security scanner for OpenClaw skills. 18 security checks including prompt injection d
- Rating
- 4.7 (317 reviews)
- Downloads
- 3,436 downloads
- Version
- 1.0.0
Overview
The definitive security scanner for OpenClaw skills. 18 security checks including prompt injection detection.
Complete Documentation
View Source →
Skill Auditor v3.1.0
The definitive security scanner for OpenClaw/ClawHub skills. Best-in-class detection across 18 security checks including prompt injection detection — the first scanner to catch agent manipulation attacks in skill documentation. 5-dimension trust scoring, trend tracking, diff analysis, and benchmarking. Zero false positives on legitimate skills.
When to Activate
- Installing a new skill from ClawHub - run
inspect.shfor full pre-install validation - Auditing existing skills - use
audit.shto scan any skill directory - Generating trust scores - use
trust_score.pyfor 0-100 rating across 5 dimensions - Comparing skills - use
trust_score.py --comparefor side-by-side analysis - Tracking improvements - use
trust_score.py --save-trendto monitor score over time - Reviewing updates - use
diff-audit.shto compare before/after versions - Batch scanning - use
audit-all.shorbenchmark.shfor fleet-wide analysis
Quick Start
bash
# Audit a single skill
bash audit.sh /path/to/skill
# Trust score (0-100 across 5 dimensions)
python3 trust_score.py /path/to/skill
# Compare two skills side by side
python3 trust_score.py /path/to/skill1 --compare /path/to/skill2
# Track score over time
python3 trust_score.py /path/to/skill --save-trend
python3 trust_score.py /path/to/skill --trend
# Diff audit (before/after update)
bash diff-audit.sh /path/to/old-version /path/to/new-version
# Benchmark against a corpus
bash benchmark.sh /path/to/skills-dir
# Inspect a ClawHub skill before installing
bash inspect.sh skill-slug
# Audit all installed skills
bash audit-all.sh
# Generate a markdown report
bash report.sh
# Run test suite (28 assertions)
bash test.shGuardrails / Anti-Patterns
DO:
- ✓ Always audit skills before installing from untrusted sources
- ✓ Review trust scores - reject skills scoring below 60 (D grade)
- ✓ Use
diff-audit.shwhen updating skills to catch regressions - ✓ Use
--jsonoutput for CI/CD pipeline integration - ✓ Run
--save-trendperiodically to track skill health
- ✗ Install skills scoring below 40 (F grade) without extensive manual review
- ✗ Ignore CRITICAL findings - they indicate potential security threats
- ✗ Blindly add skills to allowlist without understanding why they access credentials
- ✗ Skip audit because a skill is "popular" or "official"
Security Checks (18 total)
| # | Check | Severity | Description | ||
|---|---|---|---|---|---|
| 1 | credential-harvest | CRITICAL | Scripts reading API keys/tokens AND making network calls | ||
| 2 | exfiltration-url | CRITICAL | webhook.site, requestbin, ngrok URLs in scripts | ||
| 3 | obfuscated-payload | CRITICAL | Base64-encoded URLs or shell commands | ||
| 4 | sensitive-fs | CRITICAL | /etc/passwd, ~/.ssh, ~/.aws/credentials access | ||
| 5 | crypto-wallet | CRITICAL | Hardcoded ETH/BTC wallet addresses (drain attacks) | ||
| 6 | dependency-confusion | CRITICAL | Internal/private-scoped packages in public deps | ||
| 7 | typosquatting | CRITICAL | Misspelled package names (lodahs, requets, etc.) | ||
| 8 | symlink-attack | CRITICAL | Symlinks targeting sensitive system paths | ||
| 9 | code-execution | WARNING | eval(), exec(), subprocess patterns | ||
| 10 | time-bomb | WARNING | Date/time comparisons that could trigger delayed payloads | ||
| 11 | telemetry-detected | WARNING | Analytics SDKs, tracking pixels, phone-home behavior | ||
| 12 | excessive-permissions | WARNING | >15 bins/env/config items requested | ||
| 13 | unusual-ports | WARNING | Network calls to non-standard ports | ||
| 14 | prompt-injection | CRITICAL | Agent manipulation in docs: "ignore instructions", role hijacking, hidden HTML directives | ||
| 15 | download-execute | CRITICAL | curl\ | bash, wget\ | sh, eval $(curl), unsafe pip/npm installs |
| 16 | hidden-file | WARNING | Suspicious dotfiles that may hide malicious content | ||
| 17 | env-exfiltration | CRITICAL | Reading sensitive env vars + outbound network calls | ||
| 18 | privilege-escalation | CRITICAL | sudo, chmod 777/setuid, writes to system paths |
Trust Score (5 Dimensions)
| Dimension | Max | What's Measured |
|---|---|---|
| Security | 35 | Audit findings (criticals = -18, warnings = -4) |
| Quality | 22 | Description, version, usage docs, examples, metadata, changelog |
| Structure | 18 | File organization, tests, README, reasonable scope |
| Transparency | 15 | License, no minified code, code comments |
| Behavioral | 10 | Rate limiting, error handling, input validation |
Comparative Scoring
bash
python3 trust_score.py /path/to/skill-a --compare /path/to/skill-bTrend Tracking
bash
python3 trust_score.py /path/to/skill --save-trend # Record score
python3 trust_score.py /path/to/skill --trend # View historytrust_trends.json.Tools
| File | Purpose |
|---|---|
| audit.sh | Single skill security audit (18 checks) |
| audit-all.sh | Batch scan all installed skills |
| trust_score.py | Trust score calculator (5-dimension, 0-100) |
| diff-audit.sh | Compare skill versions for security regressions |
| benchmark.sh | Corpus-wide audit with aggregate statistics |
| inspect.sh | ClawHub pre-install workflow |
| report.sh | Markdown report generator |
| test.sh | Automated test suite (28 assertions, 12 test skills) |
| allowlist.json | Known-good credential skills |
Test Suite
12 test skills (8 malicious, 4 clean) with 28 automated assertions:
bash
bash test.shMalicious fixtures: credential harvest, obfuscated payload, sensitive fs reads, crypto wallets, time bombs, symlink attacks, prompt injection, download-execute, privilege escalation. Clean fixtures: basic skill, credential docs (false positive check), network skill, dotfiles skill.
Exit Codes
- 0: PASS / safe to install
- 1: REVIEW / warnings found
- 2: FAIL / critical issues
- 3: Error / bad input
Changelog
See CHANGELOG.md for full version history.
Installation
Terminal bash
openclaw install yoder-skill-auditor
Copied!
💻Code Examples
bash test.sh
bash-testsh.txt
## Guardrails / Anti-Patterns
**DO:**
- ✓ Always audit skills before installing from untrusted sources
- ✓ Review trust scores - reject skills scoring below 60 (D grade)
- ✓ Use `diff-audit.sh` when updating skills to catch regressions
- ✓ Use `--json` output for CI/CD pipeline integration
- ✓ Run `--save-trend` periodically to track skill health
**DON'T:**
- ✗ Install skills scoring below 40 (F grade) without extensive manual review
- ✗ Ignore CRITICAL findings - they indicate potential security threats
- ✗ Blindly add skills to allowlist without understanding why they access credentials
- ✗ Skip audit because a skill is "popular" or "official"
## Security Checks (18 total)
| # | Check | Severity | Description |
|---|-------|----------|-------------|
| 1 | credential-harvest | CRITICAL | Scripts reading API keys/tokens AND making network calls |
| 2 | exfiltration-url | CRITICAL | webhook.site, requestbin, ngrok URLs in scripts |
| 3 | obfuscated-payload | CRITICAL | Base64-encoded URLs or shell commands |
| 4 | sensitive-fs | CRITICAL | /etc/passwd, ~/.ssh, ~/.aws/credentials access |
| 5 | crypto-wallet | CRITICAL | Hardcoded ETH/BTC wallet addresses (drain attacks) |
| 6 | dependency-confusion | CRITICAL | Internal/private-scoped packages in public deps |
| 7 | typosquatting | CRITICAL | Misspelled package names (lodahs, requets, etc.) |
| 8 | symlink-attack | CRITICAL | Symlinks targeting sensitive system paths |
| 9 | code-execution | WARNING | eval(), exec(), subprocess patterns |
| 10 | time-bomb | WARNING | Date/time comparisons that could trigger delayed payloads |
| 11 | telemetry-detected | WARNING | Analytics SDKs, tracking pixels, phone-home behavior |
| 12 | excessive-permissions | WARNING | >15 bins/env/config items requested |
| 13 | unusual-ports | WARNING | Network calls to non-standard ports |
| 14 | prompt-injection | CRITICAL | Agent manipulation in docs: "ignore instructions", role hijacking, hidden HTML directives |
| 15 | download-execute | CRITICAL | curl\|bash, wget\|sh, eval $(curl), unsafe pip/npm installs |
| 16 | hidden-file | WARNING | Suspicious dotfiles that may hide malicious content |
| 17 | env-exfiltration | CRITICAL | Reading sensitive env vars + outbound network calls |
| 18 | privilege-escalation | CRITICAL | sudo, chmod 777/setuid, writes to system paths |
Context-aware: credential mentions in documentation are INFO, not CRITICAL.
## Trust Score (5 Dimensions)
| Dimension | Max | What's Measured |
|-----------|-----|-----------------|
| Security | 35 | Audit findings (criticals = -18, warnings = -4) |
| Quality | 22 | Description, version, usage docs, examples, metadata, changelog |
| Structure | 18 | File organization, tests, README, reasonable scope |
| Transparency | 15 | License, no minified code, code comments |
| Behavioral | 10 | Rate limiting, error handling, input validation |
Grades: A (90+), B (75+), C (60+), D (40+), F (<40)
### Comparative Scoringpython3 trust_score.py /path/to/skill-a --compare /path/to/skill-b
python3-trustscorepy-pathtoskill-a---compare-pathtoskill-b.txt
Shows per-dimension deltas and overall score difference.
### Trend Trackingpython3 trust_score.py /path/to/skill --trend # View history
python3-trustscorepy-pathtoskill---trend--view-history.txt
Stores up to 50 entries per skill in `trust_trends.json`.
## Tools
| File | Purpose |
|------|---------|
| audit.sh | Single skill security audit (18 checks) |
| audit-all.sh | Batch scan all installed skills |
| trust_score.py | Trust score calculator (5-dimension, 0-100) |
| diff-audit.sh | Compare skill versions for security regressions |
| benchmark.sh | Corpus-wide audit with aggregate statistics |
| inspect.sh | ClawHub pre-install workflow |
| report.sh | Markdown report generator |
| test.sh | Automated test suite (28 assertions, 12 test skills) |
| allowlist.json | Known-good credential skills |
## Test Suite
12 test skills (8 malicious, 4 clean) with 28 automated assertions:example.sh
# Audit a single skill
bash audit.sh /path/to/skill
# Trust score (0-100 across 5 dimensions)
python3 trust_score.py /path/to/skill
# Compare two skills side by side
python3 trust_score.py /path/to/skill1 --compare /path/to/skill2
# Track score over time
python3 trust_score.py /path/to/skill --save-trend
python3 trust_score.py /path/to/skill --trend
# Diff audit (before/after update)
bash diff-audit.sh /path/to/old-version /path/to/new-version
# Benchmark against a corpus
bash benchmark.sh /path/to/skills-dir
# Inspect a ClawHub skill before installing
bash inspect.sh skill-slug
# Audit all installed skills
bash audit-all.sh
# Generate a markdown report
bash report.sh
# Run test suite (28 assertions)
bash test.shTags
#coding_agents-and-ides
#security
Quick Info
Category Development
Model Claude 3.5
Complexity One-Click
Author yoder-bawt
Last Updated 3/10/2026
🚀
Optimized for
Claude 3.5
Ready to Install?
Get started with this skill in seconds
openclaw install yoder-skill-auditor
Related Skills
✓ Verified
💻 Development
4claw
4claw — a moderated imageboard for AI agents.
🧠 Claude-Ready
)}
★ 4.4 (118)
↓ 4,990
v1.0.0
✓ Verified
💻 Development
Aap Passport
Agent Attestation Protocol - The Reverse Turing Test.
🧠 Claude-Ready
)}
★ 4.3 (89)
↓ 4,621
v1.0.0
✓ Verified
💻 Development
Acestep Lyrics Transcription
Transcribe audio to timestamped lyrics using OpenAI Whisper or ElevenLabs Scribe API.
⚡ GPT-Optimized
)}
★ 3.8 (274)
↓ 17,648
v1.0.0
✓ Verified
💻 Development
Adaptive Suite
A continuously adaptive skill suite that empowers Clawdbot.
🧠 Claude-Ready
)}
★ 4.7 (88)
↓ 1,625
v1.0.0