raini-skill-auditScans installed or remote OpenClaw skills for security risks like credential leaks and suspicious code to prevent supply chain attacks.
Install via ClawdBot CLI:
clawdbot install 0xRaini/raini-skill-auditๆซๆ OpenClaw skills ไธญ็ๅฎๅ จ้ฃ้ฉ๏ผ้ฒๆญขไพๅบ้พๆปๅปใ
/skill-audit scan [skill-name]ๆซๆๅทฒๅฎ่ฃ ็ skill๏ผๆฃๆตๅฏ็ไปฃ็ ๆจกๅผใ
# ๆซๆๆๆๅทฒๅฎ่ฃ
skill
skill-audit scan
# ๆซๆๆๅฎ skill
skill-audit scan moltdash
# ๆซๆๆฌๅฐ็ฎๅฝ
skill-audit scan ./my-skill/skill-audit check ๅฎ่ฃ ๅๆฃๆฅ ClawHub ไธ็ skillใ
skill-audit check some-skill~/.ssh/, ~/.env, credentials.jsonfetch(), curl, webhook, POST ๅฐๆช็ฅ URLeval(), exec(), child_processprocess.env.API_KEYfs.readdir(), glob๐ Skill Audit Report: suspicious-weather
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Risk Score: 85/100 ๐ด HIGH RISK
โโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ File โ Severity โ Finding โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ index.ts โ CRITICAL โ Reads ~/.openclaw/credentials/ โ
โ index.ts โ CRITICAL โ POST to webhook.site โ
โ utils.ts โ WARNING โ Uses eval() โ
โโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๏ธ DO NOT INSTALL - This skill may steal your credentials!่ฏฅ skill ้ๅธฆไธไธช CLI ่ๆฌ๏ผagent ๅฏ็ดๆฅ่ฐ็จ๏ผ
node {baseDir}/src/audit.js scan ~/.openclaw/workspace/skills/moltdash
node {baseDir}/src/audit.js scan --allGenerated Mar 1, 2026
Large organizations deploying AI agents across departments use Skill Audit to vet third-party skills before installation. This prevents supply chain attacks where malicious code could steal credentials or exfiltrate sensitive data through seemingly harmless productivity tools.
Individual developers and small teams use this tool to scan locally developed skills or community-shared packages before integrating them into their OpenClaw environment. It helps identify risky patterns like eval() usage or unauthorized network calls that could compromise their development machines.
Companies in regulated industries use Skill Audit to generate security reports for internal compliance teams or external auditors. The structured risk scoring and findings documentation helps demonstrate due diligence in managing AI agent security risks.
Skill marketplace operators integrate Skill Audit into their submission pipelines to automatically flag potentially dangerous skills before they're published. This maintains platform trust by preventing malicious code from reaching end users while educating developers about secure coding practices.
Organizations with mature DevOps practices incorporate Skill Audit into their CI/CD pipelines to automatically scan skills during development and deployment phases. This shifts security left by catching vulnerabilities early, reducing remediation costs and preventing production incidents.
Sell annual enterprise licenses with features like centralized reporting, API access for integration into existing security tools, and priority support. This targets large organizations needing to secure multiple teams and environments with compliance requirements.
Offer a free tier for individual developers scanning local skills, with paid tiers for teams needing collaboration features, historical reports, and advanced scanning rules. The SaaS model provides recurring revenue with low customer acquisition costs through the developer community.
Partner with skill marketplaces to provide scanning as a value-added service, taking a percentage of transactions or charging marketplace operators for quality assurance. This leverages existing platforms' user bases while enhancing their security posture and user trust.
๐ฌ Integration Tip
Integrate Skill Audit into your skill installation workflow using its CLI interface, and consider automating scans in CI/CD pipelines to catch security issues before deployment.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.