skill-scanner
Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Best use case
skill-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Teams using skill-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/ai-skill-scanner/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How skill-scanner Compares
| Feature / Agent | skill-scanner | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Scan OpenBot/Clawdbot skills for security vulnerabilities, malicious code, and suspicious patterns before installing them. Use when a user wants to audit a skill, check if a ClawHub skill is safe, scan for credential exfiltration, detect prompt injection, or review skill security. Triggers on security audit, skill safety check, malware scan, or trust verification.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# Skill Security Scanner Scan skills for malicious patterns before installation. Detects credential exfiltration, suspicious network calls, obfuscated code, prompt injection, and other red flags. ## Quick Start ```bash # Scan a local skill folder python3 scripts/scan.py /path/to/skill # Verbose output (show matched lines) python3 scripts/scan.py /path/to/skill --verbose # JSON output (for automation) python3 scripts/scan.py /path/to/skill --json ``` ## Workflow: Scan Before Install 1. Download or locate the skill folder 2. Run `python3 scripts/scan.py <skill-path> --verbose` 3. Review findings by severity (CRITICAL/HIGH = do not install) 4. Report results to user with recommendation ## Score Interpretation | Score | Meaning | Recommendation | |-------|---------|----------------| | CLEAN | No issues found | Safe to install | | INFO | Minor notes only | Safe to install | | REVIEW | Medium-severity findings | Review manually before installing | | SUSPICIOUS | High-severity findings | Do NOT install without thorough manual review | | DANGEROUS | Critical findings detected | Do NOT install — likely malicious | ## Exit Codes - `0` = CLEAN/INFO - `1` = REVIEW - `2` = SUSPICIOUS - `3` = DANGEROUS ## Rules Reference See `references/rules.md` for full list of detection rules, severity levels, and whitelisted domains. ## Limitations - Pattern-based detection — cannot catch all obfuscation techniques - No runtime analysis — only static scanning - False positives possible for legitimate tools that access network/files - Always combine with manual review for HIGH/MEDIUM findings
Related Skills
Heimdall - Security Scanner for AI Agent Skills
Scan OpenClaw skills for malicious patterns before installation. Context-aware scanning with AI-powered narrative analysis.
ultimate-fork-and-skill-scanner
Scan GitHub forks and ClawHub skills for valuable changes, innovations, and enhancements.
fork-and-skill-scanner-ultimate
Scan 1,000 GitHub forks per run.
network-scanner
Scan networks to discover devices, gather MAC addresses, vendors, and hostnames. Includes safety checks to prevent accidental scanning of public networks.
security-scanner
Automated security scanning and vulnerability detection for web applications, APIs, and infrastructure.
security-skill-scanner
Security scanner for ClawdHub skills - detects suspicious patterns, manages whitelists, and monitors Moltbook for security threats.
heartbeat-scanner
Validate your agent nature through SHACL-based heartbeat analysis.
vulnerability-scanner
Advanced vulnerability analysis for OWASP 2025, supply chain security, attack surface mapping, and risk prioritization.
skill-threat-scanner
Scan OpenClaw skills for malware, prompt injection, reverse shells, wallet theft, supply chain attacks, and data.
securevibes-scanner
Run AI-powered application security scans on codebases.
permission-creep-scanner
Helps detect permission creep in AI agent skills — flags when a skill's actual code accesses resources far.
ggshield-scanner
Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.