crabukit

Security scanner for OpenClaw skills with Clawdex integration. Analyzes SKILL.md and scripts for dangerous permissions, hardcoded secrets, shell injection vulnerabilities, and malicious code patterns. Automatically uses Clawdex database if installed for known-malicious skill detection. Use when (1) installing a skill from an untrusted source, (2) developing a skill before publishing, (3) auditing installed skills, or (4) running CI/CD security checks.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "crabukit" with this command: npx skills add tnbradley/crabukit

🔒 Crabukit

Security scanner for OpenClaw skills. Prevents installation of malicious or vulnerable skills by static analysis. Integrates with Clawdex for comprehensive protection.

Quick Start

# Safely install a skill (scans before installing)
crabukit install youtube-summarize

# Scan a local skill before installing
crabukit scan ./suspicious-skill/

# Scan an installed skill
crabukit scan /opt/homebrew/lib/node_modules/clawdbot/skills/unknown-skill

# CI mode - fail on high severity or above
crabukit scan ./my-skill --fail-on=high

# List all detection rules
crabukit list-rules

🔌 Clawdex Integration

Crabukit automatically integrates with Clawdex if installed:

# Install Clawdex for database-based protection
clawdhub install clawdex

# Now crabukit will:
# 1. Check Clawdex database (known 824+ malicious skills)
# 2. Run behavior analysis (zero-day detection)
# → Defense in depth!

Layered Protection:

  • Clawdex: Database of known-bad skills (fast lookup)
  • Crabukit: Behavior analysis for zero-days (static analysis)

What It Detects

CategoryIssues
External DBKnown malicious skills (via Clawdex)
SecretsHardcoded API keys, private keys, passwords
Code Injectioneval(), exec(), subprocess(shell=True)
Shell Riskscurl | bash, rm -rf, unquoted variables
PermissionsDangerous tool requests without safety guidance
MetadataSuspicious patterns in SKILL.md descriptions

Risk Scoring

Crabukit assigns a score (0-100) based on findings:

ScoreLevelAction
0CleanSafe to install
1-9LowMinor issues
10-24MediumReview findings
25-49HighCareful review required
50+CriticalDo not install

Exit Codes

  • 0 - Scan completed, no findings at or above --fail-on threshold
  • 1 - Findings at or above threshold detected

CI/CD Integration

# .github/workflows/security.yml
- name: Scan skill
  run: |
    pip install crabukit
    crabukit scan ./my-skill --fail-on=medium

Installation

# Via ClawdHub (when published)
clawdhub install crabukit

# Or via pip
pip install crabukit

# Or from source
git clone https://github.com/tnbradley/crabukit.git
cd crabukit
pip install -e .

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Production Code Audit

Deep-scan a codebase, understand its architecture and patterns, then produce a comprehensive audit report with prioritized fixes. Optionally apply changes on...

Registry SourceRecently Updated
1520Profile unavailable
Security

Soc Deploy Misp

Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s...

Registry SourceRecently Updated
1760Profile unavailable
Security

SEO Intel

Local SEO competitive intelligence tool. Use when the user asks about SEO analysis, competitor research, keyword gaps, content strategy, site audits, AI cita...

Registry SourceRecently Updated
2230Profile unavailable
Security

MAL-Updater

Multi-provider anime → MyAnimeList sync and recommendations skill with guarded auth, review-queue triage, health checks, bootstrap auditing, and user-systemd...

Registry SourceRecently Updated
2190Profile unavailable