Tencent SkillHub · Security & Compliance

Security Audit (Sona)

Fail-closed security auditing for OpenClaw/ClawHub skills & repos: trufflehog secrets scanning, semgrep SAST, prompt-injection/persistence signals, and supply-chain hygiene checks before enabling or installing.

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: CHANGELOG.md, README.md, SKILL.md, docs/OPENCLAW_SKILL_MANIFEST_SCHEMA.md, docs/README_ZERO_TRUST_INSTALL.md, openclaw-skill.json

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 0.1.3

Provenance

Publisher: virtaava
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 7 sections Open source page

security-audit

A hostile-by-design, fail-closed audit workflow for codebases and OpenClaw/ClawHub skills. It does not try to answer “does this skill work?”. It tries to answer: “can this skill betray the system?”

What it checks (high level)

This skill’s scripts combine multiple layers: Secrets / credential leakage: trufflehog Static analysis: semgrep (auto rules) Hostile repo audit (custom): prompt-injection signals, persistence mechanisms, suspicious artifacts, dependency hygiene If any layer fails, the overall audit is FAIL.

Run an audit (JSON)

From this skill folder (use bash so it works even if executable bits were not preserved by a zip download): bash scripts/run_audit_json.sh <path> Example: bash scripts/run_audit_json.sh . > /tmp/audit.json jq '.ok, .tools' /tmp/audit.json

Security levels (user configurable)

Set the strictness level (default: standard): OPENCLAW_AUDIT_LEVEL=standard bash scripts/run_audit_json.sh <path> OPENCLAW_AUDIT_LEVEL=strict bash scripts/run_audit_json.sh <path> OPENCLAW_AUDIT_LEVEL=paranoid bash scripts/run_audit_json.sh <path> standard: pragmatic strict defaults (lockfiles required; install hooks/persistence/prompt-injection signals fail) strict: more patterns become hard FAIL (e.g. minified/obfuscation artifacts) paranoid: no "best-effort" hashing failures; more fail-closed behavior

Manifest requirement (for zero-trust install workflows)

For strict/quarantine workflows, require a machine-readable intent/permissions manifest at repo root: openclaw-skill.json If a repo/skill does not provide this manifest, the hostile audit should treat it as FAIL. See: docs/OPENCLAW_SKILL_MANIFEST_SCHEMA.md.

Optional: execution sandbox (Docker)

Docker is optional here. This skill can be used for static auditing without Docker. If you want to execute any generated/untrusted code, run it in a separate sandbox workflow (recommended).

Files

scripts/run_audit_json.sh — main JSON audit runner scripts/hostile_audit.py — prompt-injection/persistence/dependency hygiene scanner scripts/security_audit.sh — convenience wrapper (always returns JSON, never non-zero) openclaw-skill.json — machine-readable intent/permissions manifest

Category context

Identity, auth, scanning, governance, audit, and operational guardrails.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

5 Docs1 Config

SKILL.md Primary doc
CHANGELOG.md Docs
docs/OPENCLAW_SKILL_MANIFEST_SCHEMA.md Docs
docs/README_ZERO_TRUST_INSTALL.md Docs
README.md Docs
openclaw-skill.json Config