🛡️ Agent Security

Skill Security Auditorv1.0.1

Name: Skill Security Auditor
Author: akhmittra

skill-security-auditor

Command-line security analyzer for ClawHub skills. Run analyze-skill.sh to scan SKILL.md files for malicious patterns, credential leaks, and C2 infrastructure before installation. Includes threat intelligence database with 20+ detection patterns.

security

Download Package View on ClawHub

Installs (all time)

Installs (current)

Downloads

4.1K

Stars

CreatedFeb 8, 2026

UpdatedFeb 26, 2026

Install & Quick Start

Install via ClawdBot CLI:

clawdbot install akhmittra/skill-security-auditor

Skill Package4 files

📋SKILL.mdmarkdown

Failed to load file.

Quality Score

A68/100

Grade Good — based on market validation, documentation quality, package completeness, maintenance status, and authenticity signals.

Market Validation12/35

· 7 installs (low)
· 1477 downloads (moderate demand)

Documentation20/25

· SKILL.md present
· Detailed documentation (≥3000 chars)
· Contains usage examples or trigger description
· Detailed summary

Package Completeness11/15

· skillAssets present (3 files)

Security Analysis

💙 Low Risk

UNSAFE_SHELLmedium

Potentially destructive shell commands in tool definitions

curl | bash

UNDOCUMENTED_EXTERNALlow

Calls external URL not in known-safe list

https://clawhub.ai/api/skills/bitcoin-tracker/latest

KNOWN_EXTERNALlow

Uses known external API (expected, informational)

raw.githubusercontent.com

AI Analysis

The skill is a security analysis tool that runs locally via a bash script; its external API calls are to ClawHub and GitHub for expected skill metadata and pattern updates, consistent with its stated purpose. There are no hidden instructions, credential harvesting patterns, or obfuscation indicating malicious intent, though the 'curl | bash' pattern in its own definition is a minor security contradiction.

💡

Usage Guide

Generated Mar 1, 2026

security analystsDevOps engineersopen source maintainersplatform moderatorsbeginner

💡 Application Scenarios

Open Source Software Repository Security VettingTechnology and Software Development

Organizations integrating third-party scripts or tools from public repositories can use this skill to audit contributions before deployment. It helps detect malicious patterns like hidden payloads or credential leaks in documentation, preventing supply chain attacks similar to the ClawHavoc campaign.

DevOps Pipeline Pre-Installation ScanningInformation Technology and Cloud Services

DevOps teams can incorporate this tool into CI/CD pipelines to automatically scan new dependencies or plugins for security risks before installation. It validates SKILL.md files for suspicious patterns, ensuring only vetted components are deployed in production environments.

Cybersecurity Training and Awareness ProgramsEducation and Cybersecurity Training

Educational institutions or security firms can use this skill in training exercises to teach students about threat detection in code and documentation. It provides hands-on experience with pattern matching and risk scoring, enhancing skills in identifying malware and social engineering tactics.

Community Platform Moderation and Skill CurationOnline Platforms and Community Management

Platforms hosting user-generated skills or plugins, like ClawHub, can deploy this tool to vet submissions automatically. It scans for malicious indicators such as C2 infrastructure or fake prerequisites, helping moderators flag high-risk content before it reaches end-users.

Internal Security Audits for Legacy SystemsFinance and Healthcare

Companies with legacy systems can run this skill to audit existing installed skills or scripts for vulnerabilities. It identifies credential leaks and dependency risks, supporting compliance efforts and reducing exposure to threats like credential harvesting from outdated components.

💼 Business Models

Freemium Security ToolSubscription fees from premium tiers

Offer a basic version of the skill for free with limited pattern detection, while charging for advanced features like real-time threat intelligence updates, custom pattern creation, or API access. Revenue comes from subscriptions for enterprise users seeking enhanced security analytics.

Consulting and Integration ServicesService fees from consulting projects

Provide paid consulting services to help organizations integrate this skill into their security workflows, including custom audits, training sessions, and tailored detection rules. Revenue is generated through project-based fees or retainer agreements for ongoing support.

White-Label Solution for PlatformsLicensing fees from platform partners

License the skill as a white-label security module for other platforms or marketplaces that host user-generated content. Revenue comes from licensing fees based on usage volume or a flat rate, enabling partners to offer built-in vetting without developing their own tools.

💬 Integration Tip

Integrate this skill early in development pipelines by adding the analyze-skill.sh script as a pre-commit hook or CI step to automatically scan new dependencies before they are installed.