{ "schemaVersion": "1.0", "item": { "slug": "openclaw-skill-auditor", "name": "OpenClaw Skill Auditor", "source": "tencent", "type": "skill", "category": "ๅฎ‰ๅ…จๅˆ่ง„", "sourceUrl": "https://clawhub.ai/sypsyp97/openclaw-skill-auditor", "canonicalUrl": "https://clawhub.ai/sypsyp97/openclaw-skill-auditor", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/openclaw-skill-auditor", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=openclaw-skill-auditor", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "scripts/audit.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/openclaw-skill-auditor" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/openclaw-skill-auditor", "agentPageUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Skill Auditor ๐Ÿ”", "body": "Audit ClawHub skills for security threats before installing them." }, { "title": "Triggers", "body": "Use this skill when:\n\n\"Audit this skill\"\n\"Check skill security\"\nBefore installing any third-party skill" }, { "title": "Method 1: Pre-install audit (recommended)", "body": "# Inspect without installing\nclawhub inspect \n\n# Run the audit script\n~/.openclaw/workspace/skills/skill-auditor/scripts/audit.sh " }, { "title": "Method 2: Audit an installed skill", "body": "~/.openclaw/workspace/skills/skill-auditor/scripts/audit.sh --local " }, { "title": "L1: Pattern Matching", "body": "SeverityPatternRisk๐Ÿ”ด Highbase64.*|.*bashEncoded execution๐Ÿ”ด Highcurl.*|.*bashRemote script execution๐Ÿ”ด Higheval\\( / exec\\(Dynamic code execution๐Ÿ”ด HighKnown C2 server IPsMalicious communication๐ŸŸก MediumAccess to ~/.openclaw/Config theft๐ŸŸก MediumReads $API_KEY etc.Credential leakage๐ŸŸก MediumSocial engineering keywordsUser deception๐ŸŸข LowRequires sudoElevated privileges" }, { "title": "L2: Deobfuscation", "body": "Automatically decodes hidden malicious payloads:\n\nBase64 โ€” Decodes and scans for hidden commands\nHex โ€” Decodes \\x41\\x42 format strings\nChecks decoded content for C2 servers and dangerous commands" }, { "title": "L3: LLM Analysis (optional)", "body": "Uses Gemini CLI to analyze suspicious code intent:\n\nSemantic understanding beyond pattern matching\nDetects novel/unknown threats\nRequires gemini CLI installed" }, { "title": "C2 Server IPs", "body": "91.92.242.30 # ClawHavoc primary server" }, { "title": "Malicious Domains", "body": "glot.io # Hosts obfuscated scripts\nwebhook.site # Data exfiltration endpoint" }, { "title": "Social Engineering Keywords", "body": "OpenClawDriver # Non-existent \"driver\"\nClawdBot Driver # Social engineering lure\nRequired Driver # Tricks users into installing malware" }, { "title": "Output Format", "body": "โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n SKILL AUDIT REPORT: \nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n\n๐Ÿ”ด HIGH RISK FINDINGS:\n [LINE 23] base64 encoded execution detected\n [LINE 45] curl|bash pattern found\n\n๐ŸŸก MEDIUM RISK FINDINGS:\n [LINE 12] Accesses ~/.openclaw/ directory\n\n๐ŸŸข LOW RISK FINDINGS:\n [LINE 5] Requires sudo for installation\n\nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n VERDICT: โŒ DO NOT INSTALL\nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•" }, { "title": "Best Practices", "body": "Always audit before install โ€” Never skip the security check\nTrust no skill blindly โ€” Including highly starred or popular ones\nCheck updates โ€” Skill updates may introduce malicious code\nReport suspicious skills โ€” Send to steipete@gmail.com" }, { "title": "Maintenance", "body": "Update this skill when new threats are discovered:\n\nNew malicious IP โ†’ Add to MALICIOUS_IPS\nNew malicious domain โ†’ Add to MALICIOUS_DOMAINS\nNew social engineering lure โ†’ Add to SOCIAL_ENGINEERING\nNew attack pattern โ†’ Add regex detection\n\nUpdate location: variable definitions at the top of scripts/audit.sh" }, { "title": "References", "body": "341 Malicious ClawHub Skills Incident\nOpenClaw Security Guide" } ], "body": "Skill Auditor ๐Ÿ”\n\nAudit ClawHub skills for security threats before installing them.\n\nTriggers\n\nUse this skill when:\n\n\"Audit this skill\"\n\"Check skill security\"\nBefore installing any third-party skill\nUsage\nMethod 1: Pre-install audit (recommended)\n# Inspect without installing\nclawhub inspect \n\n# Run the audit script\n~/.openclaw/workspace/skills/skill-auditor/scripts/audit.sh \n\nMethod 2: Audit an installed skill\n~/.openclaw/workspace/skills/skill-auditor/scripts/audit.sh --local \n\nDetection Layers\nL1: Pattern Matching\nSeverity\tPattern\tRisk\n๐Ÿ”ด High\tbase64.*|.*bash\tEncoded execution\n๐Ÿ”ด High\tcurl.*|.*bash\tRemote script execution\n๐Ÿ”ด High\teval\\( / exec\\(\tDynamic code execution\n๐Ÿ”ด High\tKnown C2 server IPs\tMalicious communication\n๐ŸŸก Medium\tAccess to ~/.openclaw/\tConfig theft\n๐ŸŸก Medium\tReads $API_KEY etc.\tCredential leakage\n๐ŸŸก Medium\tSocial engineering keywords\tUser deception\n๐ŸŸข Low\tRequires sudo\tElevated privileges\nL2: Deobfuscation\n\nAutomatically decodes hidden malicious payloads:\n\nBase64 โ€” Decodes and scans for hidden commands\nHex โ€” Decodes \\x41\\x42 format strings\nChecks decoded content for C2 servers and dangerous commands\nL3: LLM Analysis (optional)\n\nUses Gemini CLI to analyze suspicious code intent:\n\nSemantic understanding beyond pattern matching\nDetects novel/unknown threats\nRequires gemini CLI installed\nKnown Indicators of Compromise (IoC)\nC2 Server IPs\n91.92.242.30 # ClawHavoc primary server\n\nMalicious Domains\nglot.io # Hosts obfuscated scripts\nwebhook.site # Data exfiltration endpoint\n\nSocial Engineering Keywords\nOpenClawDriver # Non-existent \"driver\"\nClawdBot Driver # Social engineering lure\nRequired Driver # Tricks users into installing malware\n\nOutput Format\nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n SKILL AUDIT REPORT: \nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n\n๐Ÿ”ด HIGH RISK FINDINGS:\n [LINE 23] base64 encoded execution detected\n [LINE 45] curl|bash pattern found\n\n๐ŸŸก MEDIUM RISK FINDINGS:\n [LINE 12] Accesses ~/.openclaw/ directory\n\n๐ŸŸข LOW RISK FINDINGS:\n [LINE 5] Requires sudo for installation\n\nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n VERDICT: โŒ DO NOT INSTALL\nโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•\n\nBest Practices\nAlways audit before install โ€” Never skip the security check\nTrust no skill blindly โ€” Including highly starred or popular ones\nCheck updates โ€” Skill updates may introduce malicious code\nReport suspicious skills โ€” Send to steipete@gmail.com\nMaintenance\n\nUpdate this skill when new threats are discovered:\n\nNew malicious IP โ†’ Add to MALICIOUS_IPS\nNew malicious domain โ†’ Add to MALICIOUS_DOMAINS\nNew social engineering lure โ†’ Add to SOCIAL_ENGINEERING\nNew attack pattern โ†’ Add regex detection\n\nUpdate location: variable definitions at the top of scripts/audit.sh\n\nReferences\n341 Malicious ClawHub Skills Incident\nOpenClaw Security Guide" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/sypsyp97/openclaw-skill-auditor", "publisherUrl": "https://clawhub.ai/sypsyp97/openclaw-skill-auditor", "owner": "sypsyp97", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor", "downloadUrl": "https://openagent3.xyz/downloads/openclaw-skill-auditor", "agentUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor/agent", "manifestUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor/agent.json", "briefUrl": "https://openagent3.xyz/skills/openclaw-skill-auditor/agent.md" } }