Skill Security Scanner

Security audit tool for OpenClaw skills. Run before installing any new skill.

Quick Audit

# Audit a skill directory
~/workspace/skills/skill-security/audit.sh /path/to/skill

# Audit all installed skills
~/workspace/skills/skill-security/audit-all.sh

What It Checks

Severity Levels

• CRITICAL (🚨): Block installation, report to owner
• HIGH (🔴): Requires manual review before use
• MEDIUM (🟡): Note but allow if from trusted source
• LOW (🟢): Informational only

Safe Skill Checklist

Before using any skill:

1. ✅ Is it from a trusted source? (official OpenClaw, known publisher)
2. ✅ Is the code readable (not obfuscated)?
3. ✅ Does it document why it needs network/credential access?
4. ✅ Does it scope file access to its own directory?
5. ✅ Has it been audited by the community?

Integration with AGENTS.md

Add this to your workflow:

## Skill Installation Protocol

Before loading any new skill:
1. Run `~/workspace/skills/skill-security/audit.sh <skill-path>`
2. If CRITICAL/HIGH findings → STOP, alert the user
3. If MEDIUM findings → Review manually, proceed if justified
4. If CLEAN → Safe to use

Automatic Protection

The scanner creates a blocklist at ./blocklist.txt.

Skills with CRITICAL findings are automatically added.

Manual Override

If a skill is flagged but you've verified it's safe:

echo "skill-name:verified:YYYY-MM-DD:reason" >> allowlist.txt

Premium Skills

Like this? Check out our premium skills at skillpacks.dev:

• 🛡️ Security Suite — Full PII scanning, secrets detection, prompt injection defense — $9.90
• 🧠 Structured Memory — Three-tier memory replacing flat MEMORY.md — $9.90
• 📋 Planning & Execution — Systematic task plans with batch execution — $9.90
• 💎 Bundle — all 3 for $24.90