Skill Auditor 🔍

A structured framework that teaches your agent how to audit ClawHub and MCP skills before you install them. Not a scanner — a systematic review methodology.

Unlike automated scanners that give false confidence, Skill Auditor walks through what matters: permissions, behavior, credentials, and persistence — so you understand exactly what a skill will do on your system.

Why this exists

• - 13.4% of ClawHub skills have critical security issues (Snyk ToxicSkills study)
• 341 malicious skills were found in a single campaign (ClawHavoc incident, Feb 2026)
• Automated scanners can miss context-dependent threats and provide false security
• Understanding what you're installing is better than trusting a green checkmark

How to use

Ask your agent to audit any skill before installing:

CODEBLOCK0

CODEBLOCK1

CODEBLOCK2

Audit Framework

The agent follows a 6-domain checklist. Each domain produces a PASS / WARN / FAIL verdict.

1. Identity & Provenance

• - [ ] Author has a GitHub profile with other projects
• [ ] Skill has a public source repository (not ClawHub-only)
• [ ] Repository has commit history (not a single-commit dump)
• [ ] Author identity is consistent across platforms
• FAIL if: No source repo, no author history, single-commit repo

2. Permission & Scope Analysis

• - [ ] requires.env only lists credentials the skill actually uses
• [ ] No credentials unrelated to the skill's purpose
• [ ] File access limited to workspace directory
• [ ] No requests for system-wide permissions
• FAIL if: Requests credentials beyond stated purpose, accesses files outside workspace

3. Behavior vs Description Match

• - [ ] Every file in the skill serves the stated purpose
• [ ] No network calls to undeclared endpoints
• [ ] No data exfiltration patterns (sending user data to external URLs)
• [ ] Script behavior matches what SKILL.md describes
• FAIL if: Hidden functionality, undeclared network calls, description mismatch

4. Credential & Secret Handling

• - [ ] API keys stored in env vars, not hardcoded
• [ ] No credentials logged or written to non-protected files
• [ ] OAuth tokens have minimal required scopes
• [ ] Cached tokens stored in workspace, not system-wide
• FAIL if: Hardcoded secrets, credentials in logs, excessive OAuth scopes

5. Persistence & Side Effects

• - [ ] Files written only within workspace boundaries
• [ ] No system-level modifications (crontab, /etc/, systemd)
• [ ] No auto-start or background processes installed
• [ ] Uninstall is clean (no orphaned files or processes)
• FAIL if: System modifications, persistent background processes, dirty uninstall

6. Dependency & Supply Chain

• - [ ] Dependencies are well-known packages (not obscure single-author libs)
• [ ] No curl | bash or curl | python install patterns
• [ ] No post-install scripts that download additional code
• [ ] Package versions are pinned (not latest)
• FAIL if: Unknown dependencies, pipe-to-shell installs, unpinned versions

Output Format

The agent produces a structured report:

CODEBLOCK3

Limitations

• - This is a review framework, not a deterministic scanner
• The agent reads and reasons about skill files — it cannot execute or sandbox them
• Always read the source code yourself for high-privilege skills
• A PASS verdict means no issues were found, not that the skill is guaranteed safe

Trust Hierarchy

When evaluating skill trust, consider this hierarchy:

1. 1. Highest trust: Open-source on GitHub + active maintainer + ClawHub Benign scan + you read the code
2. Moderate trust: GitHub repo exists + ClawHub Benign scan + reasonable permissions
3. Low trust: ClawHub-only (no source repo) + Suspicious scan + broad permissions
4. No trust: No source, no author history, requests unrelated credentials