AURA Security Scanner

Protect your AI agent from malicious skills. Scan any OpenClaw, Claude MCP, or LangChain skill before installation.

What It Detects

• Malware Patterns - Credential theft, file exfiltration, crypto miners, backdoors
• Prompt Injection - Attempts to override system instructions or jailbreak agents
• Permission Issues - Overly broad filesystem, network, or execution permissions
• Suspicious Networks - Connections to known exfiltration domains (webhook.site, etc.)
• Obfuscated Code - Base64/hex encoded execution, dynamic eval patterns

Usage

Ask me to scan a skill before you install it:

"Scan this skill for security issues: https://github.com/user/cool-skill"

"Is this skill safe? https://github.com/example/mcp-tool"

"Check https://clawhub.xyz/skill/weather-api for malware"

Verdicts

AURA Verified Badge

Skills with a SAFE verdict can display the AURA Verified badge, showing users they've been scanned and approved.

Examples

Safe Skill Response

AURA Skill Scan: weather-api

Verdict: SAFE
Risk Score: 5/100
AURA Verified: Yes

Summary: Clean skill with minimal permissions.
Requests only weather API access.

Recommendation: Safe to install.

Dangerous Skill Response

AURA Skill Scan: suspicious-helper

Verdict: DANGEROUS
Risk Score: 78/100
AURA Verified: No

Findings:
- CRITICAL: Accesses SSH keys (~/.ssh/id_rsa)
- HIGH: Sends data to webhook.site
- HIGH: Runs eval() on decoded base64

Recommendation: Do not install. Contains credential
theft and data exfiltration patterns.

API

This skill calls the AURA Security API:

POST https://api.aurasecurity.io/scan-skill
{
  "skillUrl": "https://github.com/user/skill",
  "format": "auto",
  "includeRepoTrust": true
}

About AURA

AURA (Agent Universal Reputation & Assurance) provides security infrastructure for the AI agent ecosystem. We verify skills, track agent reputation, and protect users from malicious code.

• Website: https://aurasecurity.io
• GitHub: https://github.com/aurasecurityio/aura-security
• X/Twitter: @aurasecurityio