939★by hugosbl
skill-scanner – OpenClaw Skill
skill-scanner is an OpenClaw Skills integration for coding workflows. Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Skill Snapshot
| name | skill-scanner |
| description | Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification. OpenClaw Skills integration. |
| owner | hugosbl |
| repository | hugosbl/ai-skill-scanner |
| language | Markdown |
| license | MIT |
| topics | |
| security | L1 |
| install | openclaw add @hugosbl/ai-skill-scanner |
| last updated | Feb 7, 2026 |
Maintainer
name: skill-scanner description: Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Skill Security Scanner
Scan skills for malicious patterns before installation. Detects credential exfiltration, suspicious network calls, obfuscated code, prompt injection, and other red flags.
Quick Start
# Scan a local skill folder
python3 scripts/scan.py /path/to/skill
# Verbose output (show matched lines)
python3 scripts/scan.py /path/to/skill --verbose
# JSON output (for automation)
python3 scripts/scan.py /path/to/skill --json
Workflow: Scan Before Install
- Download or locate the skill folder
- Run
python3 scripts/scan.py <skill-path> --verbose - Review findings by severity (CRITICAL/HIGH = do not install)
- Report results to user with recommendation
Score Interpretation
| Score | Meaning | Recommendation |
|---|---|---|
| CLEAN | No issues found | Safe to install |
| INFO | Minor notes only | Safe to install |
| REVIEW | Medium-severity findings | Review manually before installing |
| SUSPICIOUS | High-severity findings | Do NOT install without thorough manual review |
| DANGEROUS | Critical findings detected | Do NOT install — likely malicious |
Exit Codes
0= CLEAN/INFO1= REVIEW2= SUSPICIOUS3= DANGEROUS
Rules Reference
See references/rules.md for full list of detection rules, severity levels, and whitelisted domains.
Limitations
- Pattern-based detection — cannot catch all obfuscation techniques
- No runtime analysis — only static scanning
- False positives possible for legitimate tools that access network/files
- Always combine with manual review for HIGH/MEDIUM findings
No README available.
Permissions & Security
Security level L1: Low-risk skills with minimal permissions. Review inputs and outputs before running in production.
Requirements
- OpenClaw CLI installed and configured.
- Language: Markdown
- License: MIT
- Topics:
FAQ
How do I install skill-scanner?
Run openclaw add @hugosbl/ai-skill-scanner in your terminal. This installs skill-scanner into your OpenClaw Skills catalog.
Does this skill run locally or in the cloud?
OpenClaw Skills execute locally by default. Review the SKILL.md and permissions before running any skill.
Where can I verify the source code?
The source repository is available at https://github.com/openclaw/skills/tree/main/skills/hugosbl/ai-skill-scanner. Review commits and README documentation before installing.