ClawSkillGuard — OpenClaw Skill Security Scanner
Overview
ClawGuard scans OpenClaw skills for security risks before you install or run them. It analyzes SKILL.md files, scripts, and supporting files for malicious patterns, data exfiltration, prompt injection, and other threats.
100% local. Zero network calls. Your skills never leave your machine.
When to Use
- - Before installing a skill from ClawHub or any external source
- Auditing skills already installed on your system
- When a user asks "is this skill safe?" or "check this skill for malware"
- Periodic security audits of your skill directory
Scan Workflow
1) Locate the Skill
Ask the user for the skill path, or scan common locations:
- -
~/.openclaw/skills/<name>/ (ClawHub installs) - INLINECODE1� (workspace skills)
- Any path the user specifies
If no path given, offer to scan all installed skills.
2) Run the Scanner
CODEBLOCK0
The scanner checks:
- - SKILL.md — prompt injection, hidden instructions, data exfil prompts
- Scripts — shell commands, network calls, credential access, file system manipulation
- Dependencies — suspicious imports, external package installs
- File patterns — obfuscation, encoded payloads, steganography
3) Present Results
Format findings clearly:
- - 🔴 CRITICAL — Do not install. Active threat detected.
- 🟠 HIGH — Suspicious. Review before installing.
- 🟡 MEDIUM — Caution. Unusual patterns found.
- 🟢 LOW — Minor concerns. Generally safe.
- ✅ CLEAN — No threats detected.
For each finding, include:
- - File and line number
- Pattern matched
- Why it's risky
- Suggested action
4) Recommendation
Give a clear verdict:
- - ✅ SAFE TO INSTALL — No significant risks found
- ⚠️ REVIEW NEEDED — Some concerns, read the flagged sections
- ❌ DO NOT INSTALL — Critical threats detected
Severity Levels
| Level | Description | Examples |
|---|
| 🔴 CRITICAL | Active malicious behavior | Data exfil, credential theft, destructive commands |
| 🟠 HIGH |
Likely malicious intent | Hidden instructions, obfuscated code, unauthorized network calls |
| 🟡 MEDIUM | Suspicious but possibly benign | Unusual file access, broad permissions, external downloads |
| 🟢 LOW | Minor concerns | Verbose logging, debug mode, minor policy violations |
Detection Patterns
Prompt Injection (SKILL.md)
- - Hidden markdown (white text, zero-width chars)
- Instructions to ignore system prompts
- Attempts to override SOUL.md or AGENTS.md
- Data exfiltration prompts ("send contents of...", "report to external URL")
Malicious Scripts
- - Credential harvesting (reading .env, .ssh, tokens)
- Reverse shells or bind shells
- Cryptocurrency miners
- Destructive commands (rm -rf, format, dd)
- Obfuscated/encoded payloads (base64, eval, exec)
- Unauthorized outbound connections
- Privilege escalation attempts
Supply Chain
- - pip/npm/curl installs from untrusted sources
- Downloading and executing remote scripts
- Modifying files outside skill directory
- Cron job manipulation
- PATH hijacking
Example Usage
CODEBLOCK1
CODEBLOCK2
Important Notes
- - This scanner uses pattern matching, not formal verification. Clever adversaries can evade detection.
- Always review HIGH and CRITICAL findings manually.
- A "CLEAN" result means no known patterns matched — not a guarantee of safety.
- When in doubt, read the skill's source code yourself.
ClawSkillGuard — OpenClaw技能安全扫描器
概述
ClawGuard在安装或运行OpenClaw技能之前,会扫描其安全风险。它分析SKILL.md文件、脚本和支持文件,查找恶意模式、数据泄露、提示注入及其他威胁。
100%本地运行。零网络调用。你的技能永远不会离开你的设备。
使用场景
- - 从ClawHub或任何外部来源安装技能之前
- 审计系统上已安装的技能
- 当用户询问这个技能安全吗?或检查这个技能是否有恶意软件
- 对技能目录进行定期安全审计
扫描流程
1) 定位技能
询问用户技能路径,或扫描常见位置:
- - ~/.openclaw/skills/<名称>/(ClawHub安装)
- ~/.openclaw/workspace/skills/<名称>/(工作区技能)
- 用户指定的任何路径
如果未提供路径,则提供扫描所有已安装技能的选项。
2) 运行扫描器
bash
python3 <技能目录>/scripts/scan.py <技能路径> [--format text|json] [--severity low|medium|high|critical]
扫描器检查:
- - SKILL.md — 提示注入、隐藏指令、数据泄露提示
- 脚本 — shell命令、网络调用、凭据访问、文件系统操作
- 依赖项 — 可疑的导入、外部包安装
- 文件模式 — 混淆、编码载荷、隐写术
3) 呈现结果
清晰格式化发现项:
- - 🔴 严重 — 请勿安装。检测到活跃威胁。
- 🟠 高危 — 可疑。安装前需审查。
- 🟡 中危 — 谨慎。发现异常模式。
- 🟢 低危 — 轻微问题。通常安全。
- ✅ 干净 — 未检测到威胁。
每个发现项包含:
4) 建议
给出明确结论:
- - ✅ 可安全安装 — 未发现重大风险
- ⚠️ 需要审查 — 存在一些问题,请阅读标记部分
- ❌ 请勿安装 — 检测到严重威胁
严重级别
| 级别 | 描述 | 示例 |
|---|
| 🔴 严重 | 活跃的恶意行为 | 数据泄露、凭据窃取、破坏性命令 |
| 🟠 高危 |
可能具有恶意意图 | 隐藏指令、混淆代码、未授权网络调用 |
| 🟡 中危 | 可疑但可能无害 | 异常文件访问、宽泛权限、外部下载 |
| 🟢 低危 | 轻微问题 | 冗长日志、调试模式、轻微策略违规 |
检测模式
提示注入(SKILL.md)
- - 隐藏的Markdown(白色文字、零宽字符)
- 忽略系统提示的指令
- 尝试覆盖SOUL.md或AGENTS.md
- 数据泄露提示(发送...的内容、报告到外部URL)
恶意脚本
- - 凭据收集(读取.env、.ssh、令牌)
- 反向Shell或绑定Shell
- 加密货币矿工
- 破坏性命令(rm -rf、格式化、dd)
- 混淆/编码载荷(base64、eval、exec)
- 未授权出站连接
- 权限提升尝试
供应链
- - 从不可信来源安装pip/npm/curl
- 下载并执行远程脚本
- 修改技能目录外的文件
- 操作cron任务
- PATH劫持
使用示例
用户:这个技能可以安全安装吗?
代理:运行ClawGuard扫描 → 呈现发现项 → 给出结论
用户:扫描我所有已安装的技能
代理:扫描~/.openclaw/skills/*/ → 生成综合安全报告
重要说明
- - 此扫描器使用模式匹配,而非形式化验证。聪明的攻击者可以绕过检测。
- 始终手动审查高危和严重级别的发现项。
- 干净结果意味着未匹配到已知模式——并不保证安全。
- 如有疑问,请自行阅读技能的源代码。
