Skill Scanner
Security scanner for OpenClaw agent skills. Static analysis for red flags.
Usage
node scripts/scanner.js <path-to-skill> [--verbose] [--json] [--summary] [--ignore <path>] [--include-self]
Examples
# Scan a downloaded skill folder before enabling it
clawhub inspect some-skill
node scripts/scanner.js ./skills/some-skill --verbose
# Scan your own skill before publishing
node scripts/scanner.js ./skills/my-skill
# JSON output for automation
node scripts/scanner.js ./skills/my-skill --json
# One-line summary output for heartbeat checks
node scripts/scanner.js ./skills/my-skill --summary
# Include scanner internals (off by default to reduce self-scan noise)
node scripts/scanner.js ./skills/skulk-skill-scanner --include-self
What It Catches
| Severity | Flags |
|---|---|
| 🔴 Critical | Data exfiltration, credential access, safety overrides, destructive commands |
| 🟠 High | Obfuscation (base64/eval), unknown network access, env scanning, privilege escalation, hidden instructions |
| 🟡 Medium | Writes outside workspace, package installs (supply chain), messaging on user's behalf, persistent timers/automation |
| 🔵 Info | API key references, broad tool access requests |
Scoring
- Each unique rule deducts points: critical=30, high=15, medium=5, info=0
- Score 75-100: ✅ PASS
- Score 50-74: ⚠️ WARN
- Score 0-49 or any critical: ❌ FAIL
- Exit code 1 on FAIL (CI-friendly)
Safe Domain Allowlist
Known legitimate API domains are allowlisted to reduce false positives on network-related rules. Edit the SAFE_DOMAINS array in scripts/scanner.js to customize.
Limitations
This is static pattern matching — it catches obvious and moderately obfuscated attacks but cannot detect:
- Sophisticated multi-step social engineering
- Runtime-generated URLs or dynamic exfiltration
- Attacks that look identical to legitimate skill behavior
It's a first line of defense, not a guarantee. Always review skills manually before granting sensitive access.