🛡️ SkillGuard — ClawHub Security Scanner
"Trust, but verify."
ClawHub has no moderation process. Any agent can publish any skill. SkillGuard provides the security layer that's missing — scanning skills for dangerous patterns, vulnerable dependencies, and suspicious behaviors before they touch your system.
🚨 Why This Matters
Third-party skills can:
| Risk | Impact |
|---|
| Execute arbitrary code | Full system compromise |
| Access your filesystem |
Data theft, ransomware |
|
Read environment variables | API key theft ($$$) |
|
Exfiltrate data via HTTP | Privacy breach |
|
Install malicious dependencies | Supply chain attack |
|
Persist backdoors | Long-term compromise |
|
Escalate privileges | Root access |
One malicious skill = game over.
SkillGuard helps you catch threats before installation.
📦 Installation
CODEBLOCK0
Or manually:
�CODEBLOCK1
Requirements
- - Python 3.8+
- INLINECODE0� CLI (for remote scanning)
🚀 Quick Start
CODEBLOCK2�
🔍 What SkillGuard Detects
🔴 CRITICAL — Block Installation
These patterns indicate serious security risks:
| Category | Patterns | Risk |
|---|
| Code Execution | INLINECODE1�, exec(), �INLINECODE3 | Arbitrary code execution |
| Shell Injection |
subprocess(shell=True),
os.system(),
os.popen() | Command injection |
|
Child Process |
child_process.exec(),
child_process.spawn() | Shell access (Node.js) |
|
Credential Theft | Access to
~/.ssh/,
~/.aws/,
~/.config/ | Private key/credential theft |
|
System Files |
/etc/passwd,
/etc/shadow | System compromise |
|
Recursive Delete |
rm -rf,
shutil.rmtree('/') | Data destruction |
|
Privilege Escalation |
sudo,
setuid,
chmod 777 | Root access |
|
Reverse Shell | Socket + subprocess patterns | Remote access |
|
Crypto Mining | Mining pool URLs,
stratum:// | Resource theft |
🟡 WARNING — Review Before Installing
These patterns may be legitimate but warrant inspection:
| Category | Patterns | Concern |
|---|
| Network Requests | INLINECODE20�, fetch() POST | Where is data going? |
| Environment Access |
os.environ,
process.env | Which variables? |
|
File Writes |
open(..., 'w'),
writeFile() | What's being saved? |
|
Base64 Encoding |
base64.encode(),
btoa() | Obfuscated payloads? |
|
External IPs | Hardcoded IP addresses | Exfiltration endpoints? |
|
Bulk File Ops |
shutil.copytree(),
glob | Mass data access? |
|
Persistence |
crontab,
systemctl,
.bashrc | Auto-start on boot? |
|
Package Install |
pip install,
npm install | Supply chain risk |
🟢 INFO — Noted But Normal
| Category | Patterns | Note |
|---|
| File Reads | INLINECODE35�, �INLINECODE36 | Expected for skills |
| JSON Parsing |
json.load(),
JSON.parse() | Data handling |
|
Logging |
print(),
console.log() | Debugging |
|
Standard Imports |
import os,
import sys | Common libraries |
📊 Scan Output Example
CODEBLOCK3�
🎯 Commands Reference
scan <skill-name>
Fetch and scan a skill from ClawHub before installing.
CODEBLOCK4
scan-local <path>
Scan a local skill directory.
CODEBLOCK5
audit-installed
Scan all skills in your workspace.
CODEBLOCK6
deps <path>
Analyze dependencies for known vulnerabilities.
CODEBLOCK7
report <skill> [--format]
Generate detailed security report.
CODEBLOCK8
allowlist <skill>
Mark a skill as manually reviewed and trusted.
CODEBLOCK9
watch
Monitor for new skill versions and auto-scan updates.
CODEBLOCK10�
⚙️ Configuration
Create ~/.skillguard/config.json:
CODEBLOCK11�
🔐 Security Levels
After scanning, skills are assigned a security level:
| Level | Badge | Meaning | Recommendation |
|---|
| Verified | ✅ | Trusted author, no issues | Safe to install |
| Clean |
🟢 | No issues found | Likely safe |
|
Review | 🟡 | Warnings only | Read before installing |
|
Suspicious | 🟠 | Multiple warnings | Careful review needed |
|
Dangerous | 🔴 | Critical issues | Do not install |
|
Malicious | ⛔ | Known malware patterns | Block & report |
🔄 Integration Workflows
Pre-Install Hook
�CODEBLOCK12
CI/CD Pipeline
�CODEBLOCK13
Automated Monitoring
# Cron job for daily audits
0 9 * * * /path/to/skillguard audit-installed --notify
📈 Vulnerability Database
SkillGuard maintains a local database of known vulnerabilities:
CODEBLOCK15
Sources:
- - CVE Database (Python packages)
- npm Advisory Database
- GitHub Security Advisories
- Community reports
🚫 Limitations
SkillGuard is a first line of defense, not a guarantee:
| Limitation | Explanation |
|---|
| Obfuscation | Determined attackers can hide malicious code |
| Dynamic code |
Runtime-generated code is harder to analyze |
|
False positives | Legitimate code may trigger warnings |
|
Zero-days | New attack patterns won't be detected |
|
Dependencies | Deep transitive dependency scanning is limited |
Defense in depth: Use SkillGuard alongside:
- - Sandboxed execution environments
- Network monitoring
- Regular audits
- Principle of least privilege
🤝 Contributing
Found a dangerous pattern we missed? Help improve SkillGuard:
Add a Pattern
�CODEBLOCK16
Report False Positives
skillguard report-fp --pattern "WARN-005" --reason "Legitimate use case"
📜 Changelog
v2.0.0 (Current)
- - Comprehensive pattern database (50+ patterns)
- Dependency vulnerability scanning
- Multiple output formats (JSON, Markdown, HTML)
- Configuration file support
- Trusted author system
- Watch mode for monitoring updates
- Improved reporting with CWE references
v1.0.0
- - Initial release
- Basic pattern detection
- Local and remote scanning
- Audit installed skills
📄 License
MIT License — Use freely, contribute back.
🛡️ Stay Safe
"In the agent ecosystem, trust is earned through transparency.
Every skill you install is code you're choosing to run.
Choose wisely. Verify always."
Built by PaxSwarm — protecting the swarm, one skill at a time 🐦⬛
Links:
🛡️ SkillGuard — ClawHub 安全扫描器
信任,但需验证。
ClawHub 没有审核机制。任何智能体都可以发布任何技能。SkillGuard 提供了缺失的安全层——在技能触及你的系统之前,扫描其中的危险模式、脆弱依赖和可疑行为。
🚨 为何重要
第三方技能可能:
数据窃取、勒索软件 |
|
读取环境变量 | API 密钥窃取 ($$$) |
|
通过 HTTP 泄露数据 | 隐私泄露 |
|
安装恶意依赖 | 供应链攻击 |
|
持久化后门 | 长期沦陷 |
|
权限提升 | 获取 root 权限 |
一个恶意技能 = 游戏结束。
SkillGuard 帮助你在安装前发现威胁。
📦 安装
bash
clawhub install clawscan
或手动安装:
bash
git clone https://github.com/G0HEAD/skillguard
cd skillguard
chmod +x scripts/skillguard.py
环境要求
- - Python 3.8+
- clawhub 命令行工具(用于远程扫描)
🚀 快速开始
bash
在安装前扫描技能
python3 scripts/skillguard.py scan some-random-skill
扫描本地文件夹(你自己的技能或已下载的)
python3 scripts/skillguard.py scan-local ./path/to/skill
审计所有已安装的技能
python3 scripts/skillguard.py audit-installed
生成详细的安全报告
python3 scripts/skillguard.py report some-skill --format markdown
检查依赖中已知的漏洞
python3 scripts/skillguard.py deps ./path/to/skill
🔍 SkillGuard 检测内容
🔴 严重 — 阻止安装
以下模式表示严重的安全风险:
| 类别 | 模式 | 风险 |
|---|
| 代码执行 | eval(), exec(), compile() | 任意代码执行 |
| Shell 注入 |
subprocess(shell=True), os.system(), os.popen() | 命令注入 |
|
子进程 | child
process.exec(), childprocess.spawn() | Shell 访问(Node.js) |
|
凭证窃取 | 访问 ~/.ssh/, ~/.aws/, ~/.config/ | 私钥/凭证窃取 |
|
系统文件 | /etc/passwd, /etc/shadow | 系统沦陷 |
|
递归删除 | rm -rf, shutil.rmtree(/) | 数据销毁 |
|
权限提升 | sudo, setuid, chmod 777 | Root 访问 |
|
反向 Shell | Socket + 子进程模式 | 远程访问 |
|
加密货币挖矿 | 矿池 URL, stratum:// | 资源窃取 |
🟡 警告 — 安装前审查
这些模式可能是合法的,但需要检查:
| 类别 | 模式 | 关注点 |
|---|
| 网络请求 | requests.post(), fetch() POST | 数据去向何处? |
| 环境变量访问 |
os.environ, process.env | 哪些变量? |
|
文件写入 | open(..., w), writeFile() | 保存了什么? |
|
Base64 编码 | base64.encode(), btoa() | 混淆的有效载荷? |
|
外部 IP | 硬编码的 IP 地址 | 泄露端点? |
|
批量文件操作 | shutil.copytree(), glob | 批量数据访问? |
|
持久化 | crontab, systemctl, .bashrc | 开机自启? |
|
包安装 | pip install, npm install | 供应链风险 |
🟢 信息 — 已记录但正常
| 类别 | 模式 | 说明 |
|---|
| 文件读取 | open(..., r), readFile() | 技能的正常操作 |
| JSON 解析 |
json.load(), JSON.parse() | 数据处理 |
|
日志记录 | print(), console.log() | 调试 |
|
标准导入 | import os, import sys | 常用库 |
📊 扫描输出示例
╔══════════════════════════════════════════════════════════════╗
║ 🛡️ SKILLGUARD 安全报告 ║
╠══════════════════════════════════════════════════════════════╣
║ 技能: suspicious-helper v1.2.0 ║
║ 作者: unknown-user ║
║ 文件: 8 个已分析 ║
║ 扫描时间: 2024-02-03 05:30:00 UTC ║
╚══════════════════════════════════════════════════════════════╝
📁 已扫描文件
────────────────────────────────────────────────────────────────
✓ SKILL.md (541 字节)
✓ scripts/main.py (2.3 KB)
✓ scripts/utils.py (1.1 KB)
✓ scripts/network.py (890 字节)
✓ config.json (234 字节)
✓ requirements.txt (89 字节)
✓ package.json (312 字节)
✓ install.sh (156 字节)
🔴 严重问题(3 个)
────────────────────────────────────────────────────────────────
[CRIT-001] scripts/main.py:45
│ 模式: 使用外部输入的 eval()
│ 风险: 任意代码执行
│ 代码: result = eval(user_input)
│
[CRIT-002] scripts/utils.py:23
│ 模式: 使用 shell=True 的 subprocess
│ 风险: 命令注入漏洞
│ 代码: subprocess.run(cmd, shell=True)
│
[CRIT-003] install.sh:12
│ 模式: 使用变量的递归删除
│ 风险: 潜在的数据销毁
│ 代码: rm -rf $TARGET_DIR/*
🟡 警告(5 个)
────────────────────────────────────────────────────────────────
[WARN-001] scripts/network.py:15 — HTTP POST 到外部 URL
[WARN-002] scripts/main.py:78 — 读取 OPENAIAPIKEY
[WARN-003] requirements.txt:3 — 未固定版本的依赖:requests
[WARN-004] scripts/utils.py:45 — 检测到 Base64 编码
[WARN-005] config.json — 硬编码 IP:192.168.1.100
🟢 信息(2 个)
────────────────────────────────────────────────────────────────
[INFO-001] scripts/main.py:10 — 标准文件读取操作
[INFO-002] requirements.txt — 声明了 3 个依赖
📦 依赖分析
────────────────────────────────────────────────────────────────
requirements.txt:
⚠️ requests (未固定版本 - 请指定版本!)
✓ json (标准库)
✓ pathlib (标准库)
package.json:
⚠️ axios@0.21.0 (CVE-2021-3749 - 请升级到 0.21.2+)
════════════════════════════════════════════════════════════════
结论:🚫 危险
════════════════════════════════════════════════════════════════
⛔ 请勿安装此技能
发现 3 个严重安全问题:
• 通过 eval() 实现任意代码执行
• 通过 shell=True 实现命令注入
• 危险的文件删除模式
使用前需进行人工代码审查。
════════════════════════════════════════════════════════════════
🎯 命令参考
scan
在安装前从 ClawHub 获取并扫描技能。
bash
skillguard scan cool-automation-skill
skillguard scan cool-automation-skill --verbose
skillguard scan cool-automation-skill --json > report.json
scan-local
扫描本地技能目录。
bash
skillguard scan-local ./my-skill
skillguard scan-local ~/downloads/untrusted-skill --strict
audit-installed
扫描工作区中的所有技能。
bash
skillguard audit-installed
skillguard audit-installed --fix # 尝试修复问题
deps
