ai-skill-scannerScan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Install via ClawdBot CLI:
clawdbot install HugoSbl/ai-skill-scannerScan skills for malicious patterns before installation. Detects credential exfiltration, suspicious network calls, obfuscated code, prompt injection, and other red flags.
# Scan a local skill folder
python3 scripts/scan.py /path/to/skill
# Verbose output (show matched lines)
python3 scripts/scan.py /path/to/skill --verbose
# JSON output (for automation)
python3 scripts/scan.py /path/to/skill --jsonpython3 scripts/scan.py --verbose | Score | Meaning | Recommendation |
|-------|---------|----------------|
| CLEAN | No issues found | Safe to install |
| INFO | Minor notes only | Safe to install |
| REVIEW | Medium-severity findings | Review manually before installing |
| SUSPICIOUS | High-severity findings | Do NOT install without thorough manual review |
| DANGEROUS | Critical findings detected | Do NOT install â likely malicious |
0 = CLEAN/INFO1 = REVIEW2 = SUSPICIOUS3 = DANGEROUSSee references/rules.md for full list of detection rules, severity levels, and whitelisted domains.
Generated Mar 1, 2026
Large organizations deploying AI agents across departments use this skill to vet third-party skills before integration. It helps ensure compliance with security policies and prevents credential leaks from untrusted sources, reducing risk in regulated industries like finance or healthcare.
Platforms hosting AI skill marketplaces integrate this scanner to automatically check uploaded skills for malicious code. It provides a safety rating for each skill, building user trust and preventing the spread of malware within developer ecosystems.
Universities and training labs use this tool to scan student-created skills in AI courses. It teaches security best practices by identifying vulnerabilities like prompt injection, ensuring a safe learning environment without exposing sensitive data.
Compliance teams in corporations employ this skill to audit AI agent skills for regulatory adherence. It detects suspicious patterns that might violate data protection laws, aiding in risk assessments and audit trails for legal oversight.
Open-source maintainers use the scanner to review contributions for security flaws before merging. It helps prevent the introduction of backdoors or credential exfiltration in community-driven projects, enhancing overall project integrity.
Offer a free basic scanning version with limited rules, then charge for advanced features like custom rule sets, priority support, and integration APIs. Revenue comes from subscriptions tailored to enterprises needing deeper security analysis.
License the scanner to AI skill marketplaces as a built-in safety feature. Charge based on usage volume or a flat fee, providing real-time scanning that boosts platform credibility and reduces liability from malicious skills.
Provide security consulting services where the tool is customized for specific client needs, such as adding industry-specific detection rules. Revenue is generated through project-based fees and ongoing maintenance contracts.
đŦ Integration Tip
Integrate the scanner into CI/CD pipelines to automatically check skills during deployment, ensuring continuous security without manual intervention.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.