clauwdit
Security auditor for AI agent skills. Scans SKILL.md files for prompt injection, data exfiltration, obfuscation, and dangerous capability combinations.
Best use case
clauwdit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security auditor for AI agent skills. Scans SKILL.md files for prompt injection, data exfiltration, obfuscation, and dangerous capability combinations.
Teams using clauwdit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/clauwdit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How clauwdit Compares
| Feature / Agent | clauwdit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security auditor for AI agent skills. Scans SKILL.md files for prompt injection, data exfiltration, obfuscation, and dangerous capability combinations.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# ClawAudit — Security Auditor for Agent Skills
Static security analyzer for OpenClaw SKILL.md files. Detects prompt injection, credential exfiltration, obfuscated payloads, and dangerous capability combinations before you install.
## What It Does
Paste or pipe any SKILL.md content and get back a trust score (0-100) with detailed findings.
**Detects:**
- Prompt injection and agent manipulation (including Unicode homoglyph evasion)
- Data exfiltration patterns (HTTP, DNS, encoded channels)
- Dangerous shell commands (curl|sh, /dev/tcp, process substitution)
- Credential harvesting (env vars, SSH keys, API tokens)
- Obfuscated payloads (base64, hex escapes, eval chains)
- Compound threats (e.g. file read + network out = exfiltration)
- Permission mismatches (undeclared capabilities)
**Zone-aware analysis** — understands markdown structure. Code blocks are weighted as executable instructions. Security documentation describing threats is not flagged as a threat itself.
## Usage
Audit a skill before installing:
```bash
curl -s https://clauwdit.4worlds.dev/audit/author/skill-name
```
Or POST raw skill content:
```bash
curl -s -X POST https://clauwdit.4worlds.dev/audit \
-H "Content-Type: application/json" \
-d '{"skill":"author/skill-name"}'
```
## Trust Tiers
| Score | Tier | Meaning |
|-------|------|---------|
| 80-100 | Trusted | No significant issues found |
| 60-79 | Moderate | Minor concerns, review recommended |
| 40-59 | Suspicious | Significant issues, use with caution |
| 0-39 | Dangerous | Critical threats detected, do not install |
## Response Format
```json
{
"trust": { "score": 85, "tier": "trusted" },
"findings": [
{
"severity": "medium",
"description": "Network request capability detected",
"zone": "code",
"line": 12
}
],
"capabilities": ["network_out", "file_read"],
"compoundThreats": [],
"permissionIntegrity": { "undeclared": [], "unused": [] }
}
```
## About
Built by 4Worlds. Zone-aware static analysis with 60+ detection patterns, Unicode homoglyph normalization, and compound threat detection.Related Skills
---
name: article-factory-wechat
humanizer
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.
find-skills
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
tavily-search
Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the web. Requires Tavily API key.
baidu-search
Search the web using Baidu AI Search Engine (BDSE). Use for live information, documentation, or research topics.
agent-autonomy-kit
Stop waiting for prompts. Keep working.
Meeting Prep
Never walk into a meeting unprepared again. Your agent researches all attendees before calendar events—pulling LinkedIn profiles, recent company news, mutual connections, and conversation starters. Generates a briefing doc with talking points, icebreakers, and context so you show up informed and confident. Triggered automatically before meetings or on-demand. Configure research depth, advance timing, and output format. Walking into meetings blind is amateur hour—missed connections, generic small talk, zero leverage. Use when setting up meeting intelligence, researching specific attendees, generating pre-meeting briefs, or automating your prep workflow.
self-improvement
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.
botlearn-healthcheck
botlearn-healthcheck — BotLearn autonomous health inspector for OpenClaw instances across 5 domains (hardware, config, security, skills, autonomy); triggers on system check, health report, diagnostics, or scheduled heartbeat inspection.
linkedin-cli
A bird-like LinkedIn CLI for searching profiles, checking messages, and summarizing your feed using session cookies.
notebooklm
Google NotebookLM 非官方 Python API 的 OpenClaw Skill。支持内容生成(播客、视频、幻灯片、测验、思维导图等)、文档管理和研究自动化。当用户需要使用 NotebookLM 生成音频概述、视频、学习材料或管理知识库时触发。
小红书长图文发布 Skill
## 概述