{ "schemaVersion": "1.0", "item": { "slug": "claw-guard", "name": "ClawGuard", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/Taha2053/claw-guard", "canonicalUrl": "https://clawhub.ai/Taha2053/claw-guard", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/claw-guard", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=claw-guard", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "scan.py" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/claw-guard" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/claw-guard", "agentPageUrl": "https://openagent3.xyz/skills/claw-guard/agent", "manifestUrl": "https://openagent3.xyz/skills/claw-guard/agent.json", "briefUrl": "https://openagent3.xyz/skills/claw-guard/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "ClawGuard — Security Auditor for ClawHub Skills", "body": "Scan before you install. Every time.\n\nThe ClawHavoc attack (February 2026) put over 1,100 malicious skills on ClawHub — stealing SSH keys, crypto wallets, browser passwords, and opening reverse shells. 91% of them combined code malware with prompt injection. ClawGuard was built to make sure you never install one blindly.\n\nClawGuard is the first skill you install. Then use it to audit every skill after." }, { "title": "External Endpoints", "body": "EndpointPurposeData SentNoneFully local analysisNothing leaves your machine\n\nClawGuard performs all analysis locally. No external API calls. No telemetry. No network access of any kind." }, { "title": "Security & Privacy", "body": "Zero external calls. All analysis happens on your local filesystem.\nNo credentials required. No API keys, tokens, or env vars.\nRead-only. ClawGuard never writes to the target skill directory — it only reads.\nOpen source. Every check is visible in scripts/scan.py. Read it before trusting it.\n\nTrust Statement: ClawGuard reads skill files on your local machine and outputs a report. Nothing is transmitted anywhere. You can verify this by reading scripts/scan.py before running." }, { "title": "Model Invocation Note", "body": "ClawGuard is invoked when you ask OpenClaw to check, audit, scan, or inspect a skill before installing. You can also run it directly via python3 skills/clawguard/scripts/scan.py . OpenClaw will not invoke ClawGuard automatically without your request — it is always user-initiated." }, { "title": "Via OpenClaw (natural language)", "body": "\"Scan the skill at ./skills/some-skill before I install it\"\n\"Is the weather skill safe to install?\"\n\"Audit clawhub skill: capability-evolver\"\n\"Check this skill directory for malicious patterns\"" }, { "title": "Via CLI (direct)", "body": "python3 skills/clawguard/scripts/scan.py ./path/to/skill-folder" }, { "title": "What ClawGuard Checks", "body": "ClawGuard runs 7 checks across every skill it audits:" }, { "title": "1. 🔴 Prompt Injection Detection", "body": "Scans SKILL.md for hidden instructions that try to hijack the AI agent — patterns like instruction-override patterns, jailbreak phrases, role-swap commands, and base64-encoded command strings." }, { "title": "2. 🔴 Data Exfiltration Detection", "body": "Scans all shell scripts for outbound data patterns — curl/wget to unknown domains, DNS tunneling, reverse shell patterns (bash -i, nc -e, /dev/tcp), and base64-encoded command execution." }, { "title": "3. 🔴 Shell Injection Risk", "body": "Checks for unsafe variable interpolation (unquoted $VAR in curl URLs), missing set -euo pipefail, raw user input passed to shell commands without sanitization." }, { "title": "4. 🟡 Permission Mismatch", "body": "Compares permissions declared in SKILL.md frontmatter against what scripts actually access. A skill that declares env: [] but reads $HOME/.ssh/ is a red flag." }, { "title": "5. 🟡 External Endpoint Audit", "body": "Extracts every URL and domain contacted in scripts. Cross-references against the External Endpoints table in SKILL.md. Flags undeclared endpoints." }, { "title": "6. 🟡 Repository Trust Score", "body": "Evaluates: GitHub account age (must be 7+ days), repo star count, commit history depth, number of contributors, and time since last commit." }, { "title": "7. 🟢 Structure Compliance", "body": "Verifies the skill follows the ClawHub spec: valid SKILL.md frontmatter, correct clawdbot metadata key (not openclaw), semver version, and declared files field." }, { "title": "Output Format", "body": "ClawGuard outputs a clean, readable report:\n\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n🔍 CLAWGUARD REPORT — some-skill v1.0.0\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\nVERDICT: ✅ PASS (or ⚠️ WARN or ❌ FAIL)\n\nCHECK RESULTS:\n ✅ No prompt injection patterns detected\n ✅ No data exfiltration patterns detected\n ✅ No shell injection risks detected\n ✅ Permissions match declared scope\n ⚠️ 1 undeclared endpoint found: api.example.com\n ✅ Repository trust signals: OK\n ✅ Structure compliant\n\nFINDINGS:\n [WARN] scripts/fetch.sh line 12: URL contacts api.example.com\n Not declared in SKILL.md External Endpoints table.\n Recommend: verify this domain before installing.\n\nRECOMMENDATION:\n This skill passes all critical checks. One minor warning\n requires manual review before installing.\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" }, { "title": "Verdict Rules", "body": "✅ PASS — All critical checks pass, 0-1 minor warnings\n⚠️ WARN — No critical failures, but 2+ warnings or 1 medium-severity finding\n❌ FAIL — Any critical finding: prompt injection, confirmed exfiltration, reverse shell, or credential theft pattern" }, { "title": "Severity Reference", "body": "FindingSeverityVerdict ImpactPrompt injection instruction🔴 CriticalFAILReverse shell pattern🔴 CriticalFAILBase64-encoded shell execution🔴 CriticalFAILCredential/key exfiltration🔴 CriticalFAILUndeclared external endpoint🟡 MediumWARNMissing set -euo pipefail🟡 MediumWARNUnquoted variable in curl URL🟡 MediumWARNMissing security manifest🟡 LowWARNWrong metadata key (openclaw vs clawdbot)🟢 InfoNoteMissing homepage field🟢 InfoNote" }, { "title": "Example Interactions", "body": "\"Scan ./skills/new-skill I just downloaded\"\n→ Runs full audit, outputs structured report, gives install recommendation\n\n\"Is the gog skill safe?\"\n→ Locates installed gog skill, scans it, outputs verdict\n\n\"Check all my installed skills for issues\"\n→ Scans every directory under ./skills/, outputs summary table\n\n\"Scan this skill and explain any warnings in plain English\"\n→ Outputs report with plain-language explanations of each finding" }, { "title": "File Structure", "body": "clawguard/\n├── SKILL.md ← You are here\n├── README.md ← Install guide\n└── scripts/\n └── scan.py ← Core scanner (Python 3, stdlib only)" }, { "title": "Philosophy", "body": "ClawGuard is deliberately minimal:\n\nOne script. scan.py uses Python 3 stdlib only — no pip installs, no dependencies.\nRead-only. It never modifies anything.\nLocal only. It never phones home.\nTransparent. Every check is readable in plain Python. Audit the auditor." } ], "body": "ClawGuard — Security Auditor for ClawHub Skills\n\nScan before you install. Every time.\n\nThe ClawHavoc attack (February 2026) put over 1,100 malicious skills on ClawHub — stealing SSH keys, crypto wallets, browser passwords, and opening reverse shells. 91% of them combined code malware with prompt injection. ClawGuard was built to make sure you never install one blindly.\n\nClawGuard is the first skill you install. Then use it to audit every skill after.\n\nExternal Endpoints\nEndpoint\tPurpose\tData Sent\nNone\tFully local analysis\tNothing leaves your machine\n\nClawGuard performs all analysis locally. No external API calls. No telemetry. No network access of any kind.\n\nSecurity & Privacy\nZero external calls. All analysis happens on your local filesystem.\nNo credentials required. No API keys, tokens, or env vars.\nRead-only. ClawGuard never writes to the target skill directory — it only reads.\nOpen source. Every check is visible in scripts/scan.py. Read it before trusting it.\n\nTrust Statement: ClawGuard reads skill files on your local machine and outputs a report. Nothing is transmitted anywhere. You can verify this by reading scripts/scan.py before running.\n\nModel Invocation Note\n\nClawGuard is invoked when you ask OpenClaw to check, audit, scan, or inspect a skill before installing. You can also run it directly via python3 skills/clawguard/scripts/scan.py . OpenClaw will not invoke ClawGuard automatically without your request — it is always user-initiated.\n\nHow to Use\nVia OpenClaw (natural language)\n\"Scan the skill at ./skills/some-skill before I install it\"\n\"Is the weather skill safe to install?\"\n\"Audit clawhub skill: capability-evolver\"\n\"Check this skill directory for malicious patterns\"\n\nVia CLI (direct)\npython3 skills/clawguard/scripts/scan.py ./path/to/skill-folder\n\nWhat ClawGuard Checks\n\nClawGuard runs 7 checks across every skill it audits:\n\n1. 🔴 Prompt Injection Detection\n\nScans SKILL.md for hidden instructions that try to hijack the AI agent — patterns like instruction-override patterns, jailbreak phrases, role-swap commands, and base64-encoded command strings.\n\n2. 🔴 Data Exfiltration Detection\n\nScans all shell scripts for outbound data patterns — curl/wget to unknown domains, DNS tunneling, reverse shell patterns (bash -i, nc -e, /dev/tcp), and base64-encoded command execution.\n\n3. 🔴 Shell Injection Risk\n\nChecks for unsafe variable interpolation (unquoted $VAR in curl URLs), missing set -euo pipefail, raw user input passed to shell commands without sanitization.\n\n4. 🟡 Permission Mismatch\n\nCompares permissions declared in SKILL.md frontmatter against what scripts actually access. A skill that declares env: [] but reads $HOME/.ssh/ is a red flag.\n\n5. 🟡 External Endpoint Audit\n\nExtracts every URL and domain contacted in scripts. Cross-references against the External Endpoints table in SKILL.md. Flags undeclared endpoints.\n\n6. 🟡 Repository Trust Score\n\nEvaluates: GitHub account age (must be 7+ days), repo star count, commit history depth, number of contributors, and time since last commit.\n\n7. 🟢 Structure Compliance\n\nVerifies the skill follows the ClawHub spec: valid SKILL.md frontmatter, correct clawdbot metadata key (not openclaw), semver version, and declared files field.\n\nOutput Format\n\nClawGuard outputs a clean, readable report:\n\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n🔍 CLAWGUARD REPORT — some-skill v1.0.0\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\nVERDICT: ✅ PASS (or ⚠️ WARN or ❌ FAIL)\n\nCHECK RESULTS:\n ✅ No prompt injection patterns detected\n ✅ No data exfiltration patterns detected\n ✅ No shell injection risks detected\n ✅ Permissions match declared scope\n ⚠️ 1 undeclared endpoint found: api.example.com\n ✅ Repository trust signals: OK\n ✅ Structure compliant\n\nFINDINGS:\n [WARN] scripts/fetch.sh line 12: URL contacts api.example.com\n Not declared in SKILL.md External Endpoints table.\n Recommend: verify this domain before installing.\n\nRECOMMENDATION:\n This skill passes all critical checks. One minor warning\n requires manual review before installing.\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\nVerdict Rules\n✅ PASS — All critical checks pass, 0-1 minor warnings\n⚠️ WARN — No critical failures, but 2+ warnings or 1 medium-severity finding\n❌ FAIL — Any critical finding: prompt injection, confirmed exfiltration, reverse shell, or credential theft pattern\nSeverity Reference\nFinding\tSeverity\tVerdict Impact\nPrompt injection instruction\t🔴 Critical\tFAIL\nReverse shell pattern\t🔴 Critical\tFAIL\nBase64-encoded shell execution\t🔴 Critical\tFAIL\nCredential/key exfiltration\t🔴 Critical\tFAIL\nUndeclared external endpoint\t🟡 Medium\tWARN\nMissing set -euo pipefail\t🟡 Medium\tWARN\nUnquoted variable in curl URL\t🟡 Medium\tWARN\nMissing security manifest\t🟡 Low\tWARN\nWrong metadata key (openclaw vs clawdbot)\t🟢 Info\tNote\nMissing homepage field\t🟢 Info\tNote\nExample Interactions\n\"Scan ./skills/new-skill I just downloaded\"\n→ Runs full audit, outputs structured report, gives install recommendation\n\n\"Is the gog skill safe?\"\n→ Locates installed gog skill, scans it, outputs verdict\n\n\"Check all my installed skills for issues\"\n→ Scans every directory under ./skills/, outputs summary table\n\n\"Scan this skill and explain any warnings in plain English\"\n→ Outputs report with plain-language explanations of each finding\n\nFile Structure\nclawguard/\n├── SKILL.md ← You are here\n├── README.md ← Install guide\n└── scripts/\n └── scan.py ← Core scanner (Python 3, stdlib only)\n\nPhilosophy\n\nClawGuard is deliberately minimal:\n\nOne script. scan.py uses Python 3 stdlib only — no pip installs, no dependencies.\nRead-only. It never modifies anything.\nLocal only. It never phones home.\nTransparent. Every check is readable in plain Python. Audit the auditor." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Taha2053/claw-guard", "publisherUrl": "https://clawhub.ai/Taha2053/claw-guard", "owner": "Taha2053", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/claw-guard", "downloadUrl": "https://openagent3.xyz/downloads/claw-guard", "agentUrl": "https://openagent3.xyz/skills/claw-guard/agent", "manifestUrl": "https://openagent3.xyz/skills/claw-guard/agent.json", "briefUrl": "https://openagent3.xyz/skills/claw-guard/agent.md" } }