Skill Defender — Malicious Pattern Scanner
When to Run
Automatic Triggers
- 1. New skill installed — Immediately run
scan_skill.py against it before allowing use - Skill updated — Re-scan after any file changes in a skill directory
- Periodic audit — Run batch scan on all installed skills when requested
Manual Triggers
- - User says "scan skill X" → scan that specific skill
- User says "scan all skills" → batch scan all skills
- User says "security check" or "audit skills" → same as above
Scripts
scripts/scan_skill.py — Single Skill Scanner
Scans one skill directory for malicious patterns. Produces JSON or human-readable output.
scripts/aggregate_scan.py — Batch Scanner
Scans ALL installed skills and produces a single JSON report. Includes a built-in allowlist to reduce false positives from security-related skills, API skills, and other known-safe patterns.
How to Run
CODEBLOCK0
Exit Codes (scan_skill.py)
- -
0 = clean or informational only - INLINECODE4� = suspicious (medium/high findings)
- INLINECODE5� = dangerous (critical findings)
- INLINECODE6� = error
Output Format (aggregate_scan.py)
CODEBLOCK1
Auto-Detection
Both scripts auto-detect paths:
- - Skills directory: Detected from script location (walks up to find
skills/ parent), falls back to ~/clawd/skills, ~/skills, �INLINECODE10 - Scanner script:
aggregate_scan.py finds scan_skill.py co-located in the same directory
Handling Results
✅ Clean (verdict: "clean")
- - No action needed — skill is safe
⚠️ Suspicious (verdict: "suspicious")
- - Warn the user with a summary of findings
- Show the category and severity of each finding
🚨 Dangerous (verdict: "dangerous")
- - Block the skill — do not proceed with installation or use
- Show the full detailed findings to the user
- Require explicit user override to proceed
Built-in Allowlist
The aggregate scanner includes an allowlist for known false positives:
- - Security scanners (skill-defender, clawdbot-security-check) — their docs/scripts contain the very patterns they detect
- Auth-dependent skills (tailscale, reddit, n8n, event-planner) — legitimately reference credential paths and API keys
- Config-aware skills (memory-setup, eightctl, summarize) — reference config paths in documentation
- Agent-writing skills (self-improving-agent) — designed to modify agent files
Pattern Reference
See references/threat-patterns.md for full documentation of all detected patterns, organized by category with explanations of why each is dangerous.
Important Notes
- - No external dependencies — standard library only (Python 3.9+)
- Fast — under 1 second per skill, ~30 seconds for a full batch of 30+ skills
- This is deterministic pattern matching (Layer 2 defense). Not LLM-based.
- False positives are possible — the allowlist and
--exclude flag help - The scanner will flag itself if scanned without the allowlist — this is expected
技能防御者 — 恶意模式扫描器
何时运行
自动触发
- 1. 新技能安装时 — 在允许使用前立即对其运行 scan_skill.py
- 技能更新时 — 技能目录中任何文件变更后重新扫描
- 定期审计 — 按需对所有已安装技能执行批量扫描
手动触发
- - 用户说扫描技能 X → 扫描该特定技能
- 用户说扫描所有技能 → 批量扫描所有技能
- 用户说安全检查或审计技能 → 同上
脚本
scripts/scan_skill.py — 单技能扫描器
扫描单个技能目录中的恶意模式。输出 JSON 或人类可读格式。
scripts/aggregate_scan.py — 批量扫描器
扫描所有已安装技能并生成单个 JSON 报告。包含内置白名单以减少安全相关技能、API 技能及其他已知安全模式的误报。
如何运行
bash
扫描单个技能(人类可读)
python3 scripts/scan_skill.py /path/to/skill-dir
扫描单个技能(JSON 输出)
python3 scripts/scan_skill.py /path/to/skill-dir --json
扫描所有已安装技能(JSON 聚合报告)
python3 scripts/aggregate_scan.py
使用自定义技能目录
python3 scripts/aggregate_scan.py --skills-dir /path/to/skills
显示详细警告
python3 scripts/scan_skill.py /path/to/skill-dir --verbose
排除误报
python3 scripts/scan_skill.py /path/to/skill-dir --exclude pattern1 pattern2
退出码 (scan_skill.py)
- - 0 = 干净或仅信息性
- 1 = 可疑(中/高发现)
- 2 = 危险(严重发现)
- 3 = 错误
输出格式 (aggregate_scan.py)
json
{
skills: [
{
name: skill-name,
verdict: clean|suspicious|dangerous|error,
findingsCount: 0,
findings: []
}
],
summary: 所有 37 个技能均通过,无重大问题。,
totalSkills: 37,
cleanCount: 37,
suspiciousCount: 0,
dangerousCount: 0,
errorCount: 0,
timestamp: 2026-02-02T06:00:00+00:00
}
自动检测
两个脚本均自动检测路径:
- - 技能目录:从脚本位置自动检测(向上遍历查找 skills/ 父目录),回退到 ~/clawd/skills、~/skills、~/.openclaw/skills
- 扫描器脚本:aggregatescan.py 查找同目录下的 scanskill.py
结果处理
✅ 干净 (verdict: clean)
⚠️ 可疑 (verdict: suspicious)
- - 向用户显示发现摘要的警告
- 显示每个发现的类别和严重程度
🚨 危险 (verdict: dangerous)
- - 阻止该技能 — 不继续安装或使用
- 向用户显示完整的详细发现
- 需要用户明确覆盖才能继续
内置白名单
聚合扫描器包含已知误报的白名单:
- - 安全扫描器(skill-defender、clawdbot-security-check)— 其文档/脚本包含它们自身检测的模式
- 认证依赖型技能(tailscale、reddit、n8n、event-planner)— 合法引用凭据路径和 API 密钥
- 配置感知型技能(memory-setup、eightctl、summarize)— 在文档中引用配置路径
- 代理编写型技能(self-improving-agent)— 设计用于修改代理文件
模式参考
参见 references/threat-patterns.md 获取所有检测模式的完整文档,按类别组织并附有每种模式为何危险的说明。
重要说明
- - 无外部依赖 — 仅使用标准库(Python 3.9+)
- 快速 — 每个技能不到 1 秒,完整批量扫描 30+ 个技能约 30 秒
- 这是确定性模式匹配(第 2 层防御),非基于 LLM
- 可能存在误报 — 白名单和 --exclude 标志可提供帮助
- 扫描器在未使用白名单扫描自身时会被标记 — 这是预期行为
