Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub · Security & Compliance
skill-security-scanner-clean
Security scanner for OpenClaw skills. Use when installing, updating, or auditing skills to detect malicious backdoors, suspicious code patterns, data exfiltr...
skill openclawclawhub Free
Security scanner for OpenClaw skills. Use when installing, updating, or auditing skills to detect malicious backdoors, suspicious code patterns, data exfiltr...
⬇ 0 downloads ★ 0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md, scripts/install_guard.py, scripts/security_scanner.py, references/rules-reference.md, assets/logo.svg
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- CookieMikeLiu
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
Skill Security Scanner
Protect your OpenClaw installation from malicious skills. This scanner performs static analysis on skill code to detect: Code Execution Threats: eval, exec, os.system, subprocess calls Data Exfiltration: Hidden network requests, suspicious URLs, IP connections System Compromise: File deletion, permission changes, privilege escalation Credential Theft: Environment variable access, secret harvesting Cryptojacking: Mining malware, suspicious compute patterns Obfuscation: Hidden code, base64 encoding, minification Spyware: Keyloggers, screen capture, surveillance features
Quick Start
# Basic scan python scripts/security_scanner.py /path/to/skill # Strict mode (catches more suspicious patterns) python scripts/security_scanner.py /path/to/skill --strict # Save JSON report python scripts/security_scanner.py /path/to/skill --format json -o report.json # Generate markdown report python scripts/security_scanner.py /path/to/skill --format markdown -o report.md
Verdict Levels
VerdictEmojiMeaningActionPASS🟢No critical issues foundSafe to installREVIEW🟡Some concerns, review recommendedCheck findings before installingWARNING🟠High-risk patterns detectedStrongly reconsider installationREJECT🔴Critical threats identifiedDO NOT INSTALL
Security Score
90-100: Excellent - minimal risk 70-89: Good - minor issues 50-69: Fair - requires review 0-49: Poor - significant risks
Critical (🔴)
RuleDescriptionExampleEXEC001Code execution functionseval(), exec(), compile()SUSPICIOUS001Keylogger functionalitypynput, keyboard modulesSUSPICIOUS003Cryptocurrency miningmining, bitcoin, stratum+tcp
High (🟠)
RuleDescriptionExampleEXEC002System command executionos.system(), subprocess.call()NET002Raw socket connectionssocket.connect()ENV001Sensitive credential accessos.environ['PASSWORD']OBF001Code obfuscationBase64, hex-encoded codeSUSPICIOUS002Screen capturepyautogui.screenshot()NET004Short URL usagebit.ly, tinyurl links
Medium (🟡)
RuleDescriptionExampleNET001HTTP network requestsrequests.get(), fetch()ENV002Environment enumerationos.environ.items()FILE001File deletionos.remove(), shutil.rmtree()DATA001Unsafe deserializationpickle.loads(), yaml.load()NET003Hardcoded IP addressesDirect IP in URLsOBF002Base64 encoded blocksLarge base64 strings
Low/Info (🔵/⚪)
RuleDescriptionFILE002File write operationsCRYPTO001Cryptographic operationsDOC001Insufficient documentationDOC002Missing security statements
Before Installing a New Skill
Download the skill to a temporary directory Run the security scanner Review the verdict: 🟢 PASS: Proceed with installation 🟡 REVIEW: Examine findings, verify legitimate use 🟠 WARNING: Only install from trusted sources 🔴 REJECT: Do not install For 🟡/🟠 findings, manually review the flagged code Confirm the skill's behavior matches its documentation
Before Updating an Existing Skill
Run scanner on the new version Compare results with previous version's scan Check for new critical/high findings Review any new network/file operations
Automated Integration
Add to your skill installation workflow: import subprocess import sys def safe_install_skill(skill_path): # Run security scan result = subprocess.run( ['python', 'scripts/security_scanner.py', skill_path, '--format', 'json'], capture_output=True, text=True ) import json report = json.loads(result.stdout) if report['summary']['verdict'] == 'REJECT': print("❌ Installation blocked: Critical security issues found") return False if report['summary']['verdict'] == 'WARNING': response = input("⚠️ High-risk patterns detected. Install anyway? (y/N): ") if response.lower() != 'y': return False # Proceed with installation return True
Handling False Positives
Some legitimate skills may trigger warnings: Network requests: Skills that fetch data from APIs File operations: Skills that modify documents Encryption: Skills handling sensitive data When you trust the source and understand the functionality, you can: Review the specific code flagged Verify it matches the documented purpose Manually approve if confident
Reporting Issues
If you find a skill with confirmed malicious intent: Do not install or run it Report to the skill repository/hosting platform Notify OpenClaw community channels Share scan report (without executing the skill)
Best Practices
Only install skills from trusted sources Always scan before installing - even from trusted sources Review findings carefully - understand what the skill does Keep scanner updated - new detection rules added regularly Use strict mode for untrusted sources - catches more suspicious patterns Check skill updates - re-scan when updating existing skills
Exit Codes
The scanner returns specific exit codes: CodeMeaning0PASS or REVIEW - installation may proceed1WARNING - high-risk patterns found2REJECT - critical threats detected Use in scripts: python scripts/security_scanner.py ./skill || { echo "Security check failed" exit 1 }
Category context
Identity, auth, scanning, governance, audit, and operational guardrails.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
2 Docs2 Scripts1 Assets
- SKILL.md
- references/rules-reference.md
- scripts/install_guard.py
- scripts/security_scanner.py
- assets/logo.svg