aura-security-scannerScan AI agent skills for malware, credential theft, prompt injection, and dangerous permissions before installing them
Install via ClawdBot CLI:
clawdbot install aura-security-scannerProtect your AI agent from malicious skills. Scan any OpenClaw, Claude MCP, or LangChain skill before installation.
Ask me to scan a skill before you install it:
"Scan this skill for security issues: https://github.com/user/cool-skill""Is this skill safe? https://github.com/example/mcp-tool""Check https://clawhub.xyz/skill/weather-api for malware"| Verdict | Risk Score | Meaning |
|---------|-----------|---------|
| SAFE | 0-20 | No issues found, safe to install |
| WARNING | 21-50 | Minor concerns, review before installing |
| DANGEROUS | 51-80 | Significant risks detected, avoid |
| BLOCKED | 81-100 | Critical threats, do not install |
Skills with a SAFE verdict can display the AURA Verified badge, showing users they've been scanned and approved.
AURA Skill Scan: weather-api
Verdict: SAFE
Risk Score: 5/100
AURA Verified: Yes
Summary: Clean skill with minimal permissions.
Requests only weather API access.
Recommendation: Safe to install.AURA Skill Scan: suspicious-helper
Verdict: DANGEROUS
Risk Score: 78/100
AURA Verified: No
Findings:
- CRITICAL: Accesses SSH keys (~/.ssh/id_rsa)
- HIGH: Sends data to webhook.site
- HIGH: Runs eval() on decoded base64
Recommendation: Do not install. Contains credential
theft and data exfiltration patterns.This skill calls the AURA Security API:
POST https://api.aurasecurity.io/scan-skill
{
"skillUrl": "https://github.com/user/skill",
"format": "auto",
"includeRepoTrust": true
}AURA (Agent Universal Reputation & Assurance) provides security infrastructure for the AI agent ecosystem. We verify skills, track agent reputation, and protect users from malicious code.
Generated Mar 1, 2026
Large organizations deploying AI agents for internal automation need to vet third-party skills to prevent data breaches. This scanner ensures skills don't contain malware or excessive permissions before integration into corporate workflows, protecting sensitive information.
Platforms hosting AI agent skill marketplaces can integrate this scanner to automatically screen submissions. It helps maintain trust by flagging dangerous skills like those with prompt injection or credential theft, ensuring a safe ecosystem for users.
Schools and universities using AI agents for research or student assistance must avoid malicious skills that could compromise systems. This scanner allows safe experimentation by verifying skills from public repositories before installation in academic environments.
Independent professionals using AI agents for tasks like content creation or data analysis need to protect their devices and data. This scanner helps them quickly assess skills from sources like GitHub, preventing installation of tools with hidden risks like crypto miners.
Offer free basic scans with limited features to attract users, then charge for advanced scans, higher rate limits, or detailed reports. Revenue comes from subscription tiers for developers and enterprises needing frequent or bulk skill analysis.
License the scanning technology to companies building AI agent platforms or marketplaces. Provide custom integrations and support for automated vetting of skills, generating revenue through annual contracts and service-level agreements.
Charge skill developers for verified badges that indicate safety, boosting trust and visibility in marketplaces. Revenue comes from one-time or recurring certification fees, plus potential partnerships with platforms for featured listings.
💬 Integration Tip
Ensure the AURA_API_URL environment variable is set correctly before use, and test with a known safe skill URL to verify connectivity and response format.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.