🔒 Crabukit
Security scanner for OpenClaw skills. Prevents installation of malicious or vulnerable skills by static analysis. Integrates with Clawdex for comprehensive protection.
Quick Start
CODEBLOCK0
🔌 Clawdex Integration
Crabukit automatically integrates with Clawdex if installed:
CODEBLOCK1
Layered Protection:
- - Clawdex: Database of known-bad skills (fast lookup)
- Crabukit: Behavior analysis for zero-days (static analysis)
What It Detects
| Category | Issues |
|---|
| External DB | Known malicious skills (via Clawdex) |
| Secrets |
Hardcoded API keys, private keys, passwords |
|
Code Injection |
eval(),
exec(),
subprocess(shell=True) |
|
Shell Risks |
curl \| bash,
rm -rf, unquoted variables |
|
Permissions | Dangerous tool requests without safety guidance |
|
Metadata | Suspicious patterns in SKILL.md descriptions |
Risk Scoring
Crabukit assigns a score (0-100) based on findings:
| Score | Level | Action |
|---|
| 0 | Clean | Safe to install |
| 1-9 |
Low | Minor issues |
| 10-24 | Medium | Review findings |
| 25-49 | High | Careful review required |
| 50+ | Critical | Do not install |
Exit Codes
- -
0 - Scan completed, no findings at or above --fail-on threshold - INLINECODE7� - Findings at or above threshold detected
CI/CD Integration
CODEBLOCK2
Installation
CODEBLOCK3
🔒 Crabukit
OpenClaw技能安全扫描器。通过静态分析防止安装恶意或有漏洞的技能。与Clawdex集成,提供全面保护。
快速开始
bash
安全安装技能(安装前扫描)
crabukit install youtube-summarize
安装前扫描本地技能
crabukit scan ./suspicious-skill/
扫描已安装的技能
crabukit scan /opt/homebrew/lib/node_modules/clawdbot/skills/unknown-skill
CI模式 - 高严重性及以上时失败
crabukit scan ./my-skill --fail-on=high
列出所有检测规则
crabukit list-rules
🔌 Clawdex集成
如果已安装,Crabukit 自动与Clawdex集成:
bash
安装Clawdex以获得基于数据库的保护
clawdhub install clawdex
现在crabukit将:
1. 检查Clawdex数据库(已知824+个恶意技能)
2. 运行行为分析(零日检测)
→ 深度防御!
分层保护:
- - Clawdex:已知恶意技能数据库(快速查找)
- Crabukit:零日漏洞行为分析(静态分析)
检测内容
| 类别 | 问题 |
|---|
| 外部数据库 | 已知恶意技能(通过Clawdex) |
| 密钥 |
硬编码的API密钥、私钥、密码 |
|
代码注入 | eval()、exec()、subprocess(shell=True) |
|
Shell风险 | curl \| bash、rm -rf、未引用的变量 |
|
权限 | 未附带安全指导的危险工具请求 |
|
元数据 | SKILL.md描述中的可疑模式 |
风险评分
Crabukit根据发现结果分配评分(0-100):
低 | 轻微问题 |
| 10-24 | 中 | 需审查发现结果 |
| 25-49 | 高 | 需仔细审查 |
| 50+ | 严重 | 请勿安装 |
退出代码
- - 0 - 扫描完成,未发现达到或超过--fail-on阈值的问题
- 1 - 检测到达到或超过阈值的问题
CI/CD集成
yaml
.github/workflows/security.yml
run: |
pip install crabukit
crabukit scan ./my-skill --fail-on=medium
安装
bash
通过ClawdHub(发布后)
clawdhub install crabukit
或通过pip
pip install crabukit
或从源码安装
git clone https://github.com/tnbradley/crabukit.git
cd crabukit
pip install -e .
