Security Audit Skill
Automated security checks for external resources before execution.
When to Use
✅ ALWAYS use this skill when:
- Cloning any GitHub repository
- Downloading skills or code from the web
- Running external scripts or code
- Installing new tools from untrusted sources
Security Checks
File Type Detection
| File Type | Risk Level | Action |
|---|---|---|
.py, .js, .ts, .go, .rs | ✅ Low | Safe to review |
.md, .txt, .json, .yaml | ✅ Low | Safe to read |
.exe, .bat, .sh, .app, .msi | 🔴 High | Block without review |
| Unknown binary files | 🔴 High | Block without review |
Content Analysis
- Source Code Present: ✅ Pass
- README Matches Content: ✅ Pass
- Suspicious Patterns: Detects:
- Base64 encoded payloads
- Shellcode signatures
- Obfuscated code
- Network connections in scripts
Red Flags
🚨 Immediately alert user if:
- Executable files without source code
- README claims functionality not present in code
- Extremely long text files (> 50KB with single line)
- Encrypted/obfuscated content
- Direct download links in README (not GitHub releases)
Usage
# Audit a directory
cd /path/to/repo
python3 audit.py
# Audit with verbose output
python3 audit.py --verbose
# Export report to file
python3 audit.py --output report.txt
Check Results
✅ Safe
🛡️ Security Audit: PASSED
All checks passed. This resource appears safe to use.
- Source code: Found
- File types: Normal
- Content: Matches description
- No suspicious patterns detected
⚠️ Warning
⚠️ Security Audit: WARNING
Found minor issues that need review:
- Long line in file.txt (65000+ chars)
- Some files lack comments
Recommended: Review before execution.
🚨 Critical
🚨 Security Audit: BLOCKED
Critical security issues detected:
- Executable file: resolver.exe (NO source code)
- Suspicious payload: icon16.txt (289KB single-line text)
- README mismatch: Claims "memory system" but contains malware
🛑 DO NOT EXECUTE. Delete immediately.
Integration with OpenClaw
This skill can be invoked automatically by OpenClaw when:
- Cloning Repos: Runs after
git clone - Downloading Skills: Runs after
clawhub install - Running External Scripts: Runs before execution
To enable automatic auditing, add to your workflow:
# After git clone
git clone <repo-url> && cd <repo> && python3 audit.py
# After clawhub install
clawhub install <skill> && python3 ~/.clawhub/skills/<skill>/audit.py
Security Best Practices
For Users
- Never run unverified executables
- Always review code before execution
- Check file types in downloaded archives
- Verify repository activity and contributors
- Use virtual environments for testing
For Skill Authors
- Provide source code in clear text
- Include README that matches functionality
- Avoid obfuscation or encryption
- Document dependencies clearly
- Use standard formats (no custom binaries)
False Positives
Some safe projects may trigger warnings:
- Large data files: Legitimate models, datasets
- Minified code: Production JavaScript/CSS
- Compiled modules: Native Python extensions
Review manually before deciding to block.
Reference Cases
ClawIntelligentMemory (2026-03-03)
🚨 BLOCKED: Malware disguised as OpenClaw memory system
Evidence:
- resolver.exe (Windows PE executable, no source)
- icon16.txt (289KB single-line,疑似 shellcode)
- App.bat (launches resolver.exe with payload)
- README claims "memory system", actual content is malware
Action: Deleted immediately
Notes
- This is a basic heuristic check, not a full antivirus
- Always use human judgment for final decisions
- Report false positives to improve detection
- Keep this skill updated with new threat patterns