clawscanSecurity scanner for ClawHub skills. Vet third-party skills before installation ā detect dangerous patterns, suspicious code, and risky dependencies.
Install via ClawdBot CLI:
clawdbot install G0HEAD/clawscan"Trust, but verify."
ClawHub has no moderation process. Any agent can publish any skill. SkillGuard provides the security layer that's missing ā scanning skills for dangerous patterns, vulnerable dependencies, and suspicious behaviors before they touch your system.
Third-party skills can:
| Risk | Impact |
|------|--------|
| Execute arbitrary code | Full system compromise |
| Access your filesystem | Data theft, ransomware |
| Read environment variables | API key theft ($$$) |
| Exfiltrate data via HTTP | Privacy breach |
| Install malicious dependencies | Supply chain attack |
| Persist backdoors | Long-term compromise |
| Escalate privileges | Root access |
One malicious skill = game over.
SkillGuard helps you catch threats before installation.
clawhub install clawscanOr manually:
git clone https://github.com/G0HEAD/skillguard
cd skillguard
chmod +x scripts/skillguard.pyclawhub CLI (for remote scanning)# Scan a skill BEFORE installing
python3 scripts/skillguard.py scan some-random-skill
# Scan a local folder (your own skills or downloaded)
python3 scripts/skillguard.py scan-local ./path/to/skill
# Audit ALL your installed skills
python3 scripts/skillguard.py audit-installed
# Generate detailed security report
python3 scripts/skillguard.py report some-skill --format markdown
# Check dependencies for known vulnerabilities
python3 scripts/skillguard.py deps ./path/to/skillThese patterns indicate serious security risks:
| Category | Patterns | Risk |
|----------|----------|------|
| Code Execution | eval(), exec(), compile() | Arbitrary code execution |
| Shell Injection | subprocess(shell=True), os.system(), os.popen() | Command injection |
| Child Process | child_process.exec(), child_process.spawn() | Shell access (Node.js) |
| Credential Theft | Access to ~/.ssh/, ~/.aws/, ~/.config/ | Private key/credential theft |
| System Files | /etc/passwd, /etc/shadow | System compromise |
| Recursive Delete | rm -rf, shutil.rmtree('/') | Data destruction |
| Privilege Escalation | sudo, setuid, chmod 777 | Root access |
| Reverse Shell | Socket + subprocess patterns | Remote access |
| Crypto Mining | Mining pool URLs, stratum:// | Resource theft |
These patterns may be legitimate but warrant inspection:
| Category | Patterns | Concern |
|----------|----------|---------|
| Network Requests | requests.post(), fetch() POST | Where is data going? |
| Environment Access | os.environ, process.env | Which variables? |
| File Writes | open(..., 'w'), writeFile() | What's being saved? |
| Base64 Encoding | base64.encode(), btoa() | Obfuscated payloads? |
| External IPs | Hardcoded IP addresses | Exfiltration endpoints? |
| Bulk File Ops | shutil.copytree(), glob | Mass data access? |
| Persistence | crontab, systemctl, .bashrc | Auto-start on boot? |
| Package Install | pip install, npm install | Supply chain risk |
| Category | Patterns | Note |
|----------|----------|------|
| File Reads | open(..., 'r'), readFile() | Expected for skills |
| JSON Parsing | json.load(), JSON.parse() | Data handling |
| Logging | print(), console.log() | Debugging |
| Standard Imports | import os, import sys | Common libraries |
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā š”ļø SKILLGUARD SECURITY REPORT ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā£
ā Skill: suspicious-helper v1.2.0 ā
ā Author: unknown-user ā
ā Files: 8 analyzed ā
ā Scan Time: 2024-02-03 05:30:00 UTC ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
š FILES SCANNED
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā SKILL.md (541 bytes)
ā scripts/main.py (2.3 KB)
ā scripts/utils.py (1.1 KB)
ā scripts/network.py (890 bytes)
ā config.json (234 bytes)
ā requirements.txt (89 bytes)
ā package.json (312 bytes)
ā install.sh (156 bytes)
š“ CRITICAL ISSUES (3)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
[CRIT-001] scripts/main.py:45
ā Pattern: eval() with external input
ā Risk: Arbitrary code execution
ā Code: result = eval(user_input)
ā
[CRIT-002] scripts/utils.py:23
ā Pattern: subprocess with shell=True
ā Risk: Command injection vulnerability
ā Code: subprocess.run(cmd, shell=True)
ā
[CRIT-003] install.sh:12
ā Pattern: Recursive delete with variable
ā Risk: Potential data destruction
ā Code: rm -rf $TARGET_DIR/*
š” WARNINGS (5)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
[WARN-001] scripts/network.py:15 ā HTTP POST to external URL
[WARN-002] scripts/main.py:78 ā Reads OPENAI_API_KEY
[WARN-003] requirements.txt:3 ā Unpinned dependency: requests
[WARN-004] scripts/utils.py:45 ā Base64 encoding detected
[WARN-005] config.json ā Hardcoded IP: 192.168.1.100
š¢ INFO (2)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
[INFO-001] scripts/main.py:10 ā Standard file read operations
[INFO-002] requirements.txt ā 3 dependencies declared
š¦ DEPENDENCY ANALYSIS
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
requirements.txt:
ā ļø requests (unpinned - specify version!)
ā json (stdlib)
ā pathlib (stdlib)
package.json:
ā ļø axios@0.21.0 (CVE-2021-3749 - upgrade to 0.21.2+)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
VERDICT: š« DANGEROUS
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā DO NOT INSTALL THIS SKILL
3 critical security issues found:
ā¢ Arbitrary code execution via eval()
ā¢ Command injection via shell=True
ā¢ Dangerous file deletion pattern
Manual code review required before any use.
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāscan Fetch and scan a skill from ClawHub before installing.
skillguard scan cool-automation-skill
skillguard scan cool-automation-skill --verbose
skillguard scan cool-automation-skill --json > report.jsonscan-local Scan a local skill directory.
skillguard scan-local ./my-skill
skillguard scan-local ~/downloads/untrusted-skill --strictaudit-installedScan all skills in your workspace.
skillguard audit-installed
skillguard audit-installed --fix # Attempt to fix issuesdeps Analyze dependencies for known vulnerabilities.
skillguard deps ./skill-folder
skillguard deps ./skill-folder --update-db # Refresh vuln databasereport [--format] Generate detailed security report.
skillguard report suspicious-skill --format markdown > report.md
skillguard report suspicious-skill --format json > report.json
skillguard report suspicious-skill --format html > report.htmlallowlist Mark a skill as manually reviewed and trusted.
skillguard allowlist my-trusted-skill
skillguard allowlist --list # Show all trusted skills
skillguard allowlist --remove old-skillwatchMonitor for new skill versions and auto-scan updates.
skillguard watch --interval 3600 # Check every hourCreate ~/.skillguard/config.json:
{
"severity_threshold": "warning",
"auto_scan_on_install": true,
"block_critical": true,
"trusted_authors": [
"official",
"PaxSwarm",
"verified-publisher"
],
"allowed_domains": [
"api.openai.com",
"api.anthropic.com",
"api.github.com",
"clawhub.ai"
],
"ignored_patterns": [
"test_*.py",
"*_test.js",
"*.spec.ts"
],
"custom_patterns": [
{
"regex": "my-internal-api\\.com",
"severity": "info",
"description": "Internal API endpoint"
}
],
"vuln_db_path": "~/.skillguard/vulns.json",
"report_format": "markdown",
"color_output": true
}After scanning, skills are assigned a security level:
| Level | Badge | Meaning | Recommendation |
|-------|-------|---------|----------------|
| Verified | ā | Trusted author, no issues | Safe to install |
| Clean | š¢ | No issues found | Likely safe |
| Review | š” | Warnings only | Read before installing |
| Suspicious | š | Multiple warnings | Careful review needed |
| Dangerous | š“ | Critical issues | Do not install |
| Malicious | ā | Known malware patterns | Block & report |
# Add to your workflow
skillguard scan $SKILL && clawhub install $SKILL# GitHub Actions example
- name: Security Scan
run: |
pip install skillguard
skillguard scan-local ./my-skill --strict --exit-code# Cron job for daily audits
0 9 * * * /path/to/skillguard audit-installed --notifySkillGuard maintains a local database of known vulnerabilities:
# Update vulnerability database
skillguard update-db
# Check database status
skillguard db-status
# Report a new vulnerability
skillguard report-vuln --skill bad-skill --details "Description..."Sources:
SkillGuard is a first line of defense, not a guarantee:
| Limitation | Explanation |
|------------|-------------|
| Obfuscation | Determined attackers can hide malicious code |
| Dynamic code | Runtime-generated code is harder to analyze |
| False positives | Legitimate code may trigger warnings |
| Zero-days | New attack patterns won't be detected |
| Dependencies | Deep transitive dependency scanning is limited |
Defense in depth: Use SkillGuard alongside:
Found a dangerous pattern we missed? Help improve SkillGuard:
{
"id": "CRIT-XXX",
"regex": "dangerous_function\\(",
"severity": "critical",
"category": "code_execution",
"description": "Dangerous function call",
"cwe": "CWE-94",
"remediation": "Use safe_alternative() instead",
"file_types": [".py", ".js"]
}skillguard report-fp --pattern "WARN-005" --reason "Legitimate use case"MIT License ā Use freely, contribute back.
"In the agent ecosystem, trust is earned through transparency.
Every skill you install is code you're choosing to run.
Choose wisely. Verify always."
Built by PaxSwarm ā protecting the swarm, one skill at a time š¦āā¬
Links:
Generated Mar 1, 2026
Large organizations using ClawHub for internal automation can deploy SkillGuard to scan all third-party skills before installation, ensuring compliance with security policies and preventing supply chain attacks. This is critical for protecting sensitive data and infrastructure from malicious code execution or credential theft.
Independent developers creating or modifying skills for ClawHub can use SkillGuard to audit their own code for dangerous patterns like eval() or shell injection before publishing. This helps maintain a safe ecosystem and builds trust with users by proactively identifying vulnerabilities.
Educational institutions teaching AI or automation with ClawHub can integrate SkillGuard to scan skills used in coursework, preventing students from accidentally installing malicious packages. It ensures a secure learning environment by flagging risks like reverse shells or crypto mining.
Community moderators or maintainers of ClawHub skill repositories can use SkillGuard to automatically vet submissions for dangerous patterns, reducing manual review effort. This helps filter out skills with critical issues like privilege escalation or data exfiltration before they reach users.
Regulated industries such as finance or healthcare can employ SkillGuard to audit installed skills for compliance with data protection standards, detecting risks like environment variable access or unauthorized network requests. This supports risk assessments and prevents breaches from third-party code.
Offer SkillGuard as a free open-source tool for basic scanning, with premium features like advanced pattern detection, detailed reporting, and API access for enterprise users. Revenue is generated through subscription tiers, targeting businesses needing enhanced security audits and compliance support.
Provide paid consulting services to help organizations integrate SkillGuard into their ClawHub workflows, including custom rule sets, training, and ongoing support. Revenue comes from project-based fees and retainer contracts, focusing on industries with high security requirements like finance or government.
Partner with ClawHub or skill marketplaces to offer a certification program where skills are scanned by SkillGuard and receive a safety badge. Revenue is generated through certification fees paid by skill developers, enhancing trust and visibility in the marketplace while promoting secure practices.
š¬ Integration Tip
Integrate SkillGuard into CI/CD pipelines for automated scanning of skill updates, and use its audit-installed command regularly to monitor existing installations for new vulnerabilities.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.