OpenClaw Sentinel
Supply chain security scanner for agent skills. Detects obfuscated code, known-bad signatures, suspicious install behaviors, dependency confusion, and metadata inconsistencies — before and after installation.
The Problem
You install skills from the community. Any skill can contain obfuscated payloads, post-install hooks that execute arbitrary code, or supply chain attacks that modify other skills in your workspace. Existing tools verify file integrity after the fact — nothing inspects skills for supply chain risks before they run.
Commands
Scan Installed Skills
Deep scan of all installed skills for supply chain risks. Checks file hashes against a local threat database, detects obfuscated code patterns, suspicious install behaviors, dependency confusion, and metadata inconsistencies. Generates a risk score (0-100) per skill.
CODEBLOCK0
Scan a Single Skill
CODEBLOCK1
Pre-Install Inspection
Scan a skill directory BEFORE copying it to your workspace. Outputs a SAFE/REVIEW/REJECT recommendation and shows exactly what binaries, network calls, and file operations the skill will perform.
CODEBLOCK2
Manage Threat Database
View current threat database statistics.
CODEBLOCK3
Import a community-shared threat list.
CODEBLOCK4
Quick Status
Summary of installed skills, scan history, and risk score overview.
CODEBLOCK5
Workspace Auto-Detection
If --workspace is omitted, the script tries:
- 1.
OPENCLAW_WORKSPACE environment variable - Current directory (if AGENTS.md exists)
- INLINECODE2� (default)
What It Detects
| Category | Patterns |
|---|
| Encoded Execution | eval(base64.b64decode(...)), exec(compile(...)), eval/exec with encoded strings |
| Dynamic Imports |
\
\import\
\('os').system(...), dynamic subprocess/ctypes imports |
|
Shell Injection | subprocess.Popen with shell=True + string concatenation, os.system() |
|
Remote Code Exec | urllib/requests combined with exec/eval — download-and-run patterns |
|
Obfuscation | Lines >1000 chars, high-entropy strings, minified code blocks |
|
Install Behaviors | Post-install hooks, auto-exec in \
\init\
\.py, cross-skill file writes |
|
Hidden Files | Non-standard dotfiles and hidden directories |
|
Dependency Confusion | Skills shadowing popular package names, typosquatting near-matches |
|
Metadata Mismatch | Undeclared binaries, undeclared env vars, invocable flag inconsistencies |
|
Serialization | pickle.loads, marshal.loads — arbitrary code execution via deserialization |
|
Known-Bad Hashes | File SHA-256 matches against local threat database |
Risk Scoring
Each skill receives a score from 0-100:
| Score | Label | Meaning |
|---|
| 0 | CLEAN | No issues detected |
| 1-19 |
LOW | Minor findings, likely benign |
| 20-49 | MODERATE | Review recommended |
| 50-74 | HIGH | Significant risk, review required |
| 75-100 | CRITICAL | Serious supply chain risk |
Threat Database Format
Community-shared threat lists use this JSON format:
CODEBLOCK6
Exit Codes
- -
0 — Clean, no issues - INLINECODE4� — Review needed
- INLINECODE5� — Threats detected
No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
OpenClaw Sentinel
用于代理技能的供应链安全扫描器。在安装前后检测混淆代码、已知恶意签名、可疑安装行为、依赖混淆和元数据不一致问题。
问题
你从社区安装技能。任何技能都可能包含混淆的有效载荷、执行任意代码的安装后钩子,或修改工作区中其他技能的供应链攻击。现有工具仅在事后验证文件完整性——没有工具能在技能运行前检查其供应链风险。
命令
扫描已安装技能
对所有已安装技能进行深度扫描,检查供应链风险。将文件哈希值与本地威胁数据库比对,检测混淆代码模式、可疑安装行为、依赖混淆和元数据不一致问题。为每个技能生成风险评分(0-100)。
bash
python3 {baseDir}/scripts/sentinel.py scan --workspace /path/to/workspace
扫描单个技能
bash
python3 {baseDir}/scripts/sentinel.py scan openclaw-warden --workspace /path/to/workspace
安装前检查
在将技能目录复制到工作区之前进行扫描。输出安全/审查/拒绝建议,并精确显示该技能将执行的二进制文件、网络调用和文件操作。
bash
python3 {baseDir}/scripts/sentinel.py inspect /path/to/skill-directory
管理威胁数据库
查看当前威胁数据库统计信息。
bash
python3 {baseDir}/scripts/sentinel.py threats --workspace /path/to/workspace
导入社区共享的威胁列表。
bash
python3 {baseDir}/scripts/sentinel.py threats --update-from threats.json --workspace /path/to/workspace
快速状态
已安装技能、扫描历史和风险评分概览。
bash
python3 {baseDir}/scripts/sentinel.py status --workspace /path/to/workspace
工作区自动检测
如果省略 --workspace,脚本会依次尝试:
- 1. OPENCLAW_WORKSPACE 环境变量
- 当前目录(如果存在 AGENTS.md)
- ~/.openclaw/workspace(默认)
检测内容
| 类别 | 模式 |
|---|
| 编码执行 | eval(base64.b64decode(...)), exec(compile(...)), 带编码字符串的 eval/exec |
| 动态导入 |
\
\import\
\(os).system(...), 动态 subprocess/ctypes 导入 |
|
Shell 注入 | 带 shell=True 和字符串拼接的 subprocess.Popen, os.system() |
|
远程代码执行 | urllib/requests 与 exec/eval 结合——下载并运行模式 |
|
混淆 | 超过1000字符的行、高熵字符串、压缩代码块 |
|
安装行为 | 安装后钩子、\
\init\
\.py 中的自动执行、跨技能文件写入 |
|
隐藏文件 | 非标准点文件和隐藏目录 |
|
依赖混淆 | 技能名称与流行包名相似、拼写错误的近似匹配 |
|
元数据不匹配 | 未声明的二进制文件、未声明的环境变量、可调用标志不一致 |
|
序列化 | pickle.loads, marshal.loads——通过反序列化执行任意代码 |
|
已知恶意哈希 | 文件 SHA-256 与本地威胁数据库匹配 |
风险评分
每个技能获得0-100的评分:
低 | 轻微发现,可能无害 |
| 20-49 | 中等 | 建议审查 |
| 50-74 | 高 | 重大风险,必须审查 |
| 75-100 | 严重 | 严重供应链风险 |
威胁数据库格式
社区共享的威胁列表使用以下 JSON 格式:
json
{
hashes: {
: {name: ..., severity: ..., description: ...}
},
patterns: [
{name: ..., regex: ..., severity: ...}
]
}
退出代码
- - 0 — 安全,无问题
- 1 — 需要审查
- 2 — 检测到威胁
无外部依赖
仅使用 Python 标准库。无需 pip 安装。无需网络调用。所有操作在本地运行。
跨平台
兼容 OpenClaw、Claude Code、Cursor 以及任何使用代理技能规范的工具。
