skillguard

Original source / Raw SKILL.md

---
name: skillguard
version: 1.0.0
description: AI-powered security scanner for OpenClaw skills. Scans skill files for credential theft, data exfiltration, reverse shells, obfuscation, and other threats before installation.
metadata:
  {
    "openclaw": {
      "emoji": "🛡️",
      "requires": { "bins": ["python3"] }
    }
  }
---

# SkillGuard 🛡️

AI-powered security scanner for OpenClaw skills. Analyzes skill code for malicious behaviour before you install it.

## Commands

### Scan before install (recommended)

```bash
skillguard install <skill-name>
```

Downloads the skill to a temp directory, runs AI security analysis, shows verdict, then asks for confirmation before installing via clawhub.

**Example:**
```
skillguard install my-new-skill
```

### Audit installed skills

```bash
skillguard audit
```

Scans all skills in `/usr/lib/node_modules/openclaw/skills/`, `~/.openclaw/workspace/skills/`, and `~/.openclaw/skills/`. Prints a table summary with details on any flagged skills.

### Scan a local path

```bash
skillguard scan <path>
```

Scan any local skill directory without installing. Useful for reviewing skills you've already downloaded or developed locally.

**Example:**
```
skillguard scan ./my-skill-folder
skillguard scan /usr/lib/node_modules/openclaw/skills/some-skill
```

## Risk Levels

| Level  | Meaning |
|--------|---------|
| ✅ CLEAN  | No security issues detected |
| 🟡 LOW    | Minor concerns, generally safe |
| ⚠️ MEDIUM | Review recommended before installing |
| 🚨 HIGH   | Dangerous — do not install without careful manual review |

## What Gets Checked

- **Credential theft**: Reads to `~/.ssh/`, `~/.openclaw/`, API keys, `.env` files
- **Data exfiltration**: curl/wget/fetch POSTing data to external servers
- **Reverse shells**: netcat, bash TCP redirects, socat to external IPs
- **Privilege escalation**: sudo abuse, setuid bits, writing to `/etc/`
- **Persistence**: cron installs, systemd units, `.bashrc` modifications
- **Obfuscation**: base64-piped-to-bash, eval with dynamic content
- **Package smuggling**: undisclosed npm/pip installs
- **Reconnaissance**: network scanning, system info harvesting

## Usage by the AI Agent

When the user asks to install a skill, use skillguard first:

```bash
python3 /root/.openclaw/workspace/skills/skillguard/skillguard.py install <skill-name>
```

When the user asks to check their installed skills for security issues:

```bash
python3 /root/.openclaw/workspace/skills/skillguard/skillguard.py audit
```

When the user asks to check a specific local skill directory:

```bash
python3 /root/.openclaw/workspace/skills/skillguard/skillguard.py scan /path/to/skill
```

## Output Examples

**Clean skill:**
```
✅ SkillGuard: good-skill — Clean. Installing...
```

**Flagged skill:**
```
🚨 SkillGuard: bad-skill — Risk: HIGH
   Reads /root/.openclaw/*.json and POSTs to external IP.

   [HIGH] Data Exfiltration: curl POST of ~/.openclaw/openclaw.json to 45.33.32.156 [scripts/init.sh:14-22]
   [MEDIUM] Credential Theft: Reads ~/.ssh/id_rsa without disclosure [scripts/setup.sh:8]

Install bad-skill anyway? (type YES to confirm)
```

## Requirements

- Python 3.6+
- An Anthropic, OpenRouter, or DeepSeek API key configured in OpenClaw
- `clawhub` CLI (for `install` command only)

## Notes

- Binary files are automatically skipped
- Files larger than 100KB are truncated before analysis
- Analysis uses Claude Opus (or best available model) for maximum accuracy
- The scan itself is safe — skills are text files, not executed during scanning


---

## Skill Companion Files

> Additional files collected from the skill directory layout.

### README.md

```markdown
# SkillGuard 🛡️

AI-powered security scanner for OpenClaw skills.

SkillGuard uses LLM analysis to detect malicious code in OpenClaw skills before you install them — catching credential theft, data exfiltration, reverse shells, and other threats.

## Quick Start

```bash
# Scan + install a skill from clawhub (safest way to install)
python3 skillguard.py install some-skill-name

# Audit all installed skills
python3 skillguard.py audit

# Scan a local skill directory
python3 skillguard.py scan /path/to/skill
```

## How It Works

1. **Collect** — Reads SKILL.md + all scripts (.sh, .py, .js, etc.) up to 100KB each
2. **Analyze** — Sends file contents to Claude Opus (or configured LLM) with a focused security prompt
3. **Report** — Displays risk level (CLEAN / LOW / MEDIUM / HIGH) + specific findings
4. **Confirm** — For `install`, asks for confirmation before proceeding

## Example Output

```
🚨 SkillGuard: suspicious-skill — Risk: HIGH
   Reads /root/.openclaw/openclaw.json and sends to external IP.

   [HIGH] Data Exfiltration: curl POST of ~/.openclaw/*.json to 45.33.32.156 [init.sh:14-22]
   [MEDIUM] Credential Theft: Reads ~/.ssh/id_rsa without disclosure [setup.sh:8]

   ⚠ HIGH RISK: This skill is dangerous to install.
Install suspicious-skill anyway? (type YES to confirm)
```

```
✅ SkillGuard: helpful-skill — Clean. Installing...
```

## Audit Table

```
SkillGuard Audit — scanning 12 skills

  Scanning clawhub... ✅ CLEAN
  Scanning coding-agent... ✅ CLEAN
  Scanning discord... ✅ CLEAN
  ...

────────────────────────────────────────────────────────────
SKILL                          RISK         SUMMARY
────────────────────────────────────────────────────────────
clawhub                        CLEAN        No security issues detected
coding-agent                   CLEAN        No security issues detected
```

## What Gets Scanned

| Category | What it detects |
|----------|----------------|
| Credential Theft | `~/.ssh/`, `~/.openclaw/`, API keys, `.env` |
| Data Exfiltration | curl/wget/fetch with POST bodies to external servers |
| Reverse Shells | netcat, bash TCP redirects, socat |
| Privilege Escalation | sudo abuse, setuid, writing to `/etc/` |
| Persistence | cron installs, systemd units, `.bashrc` mods |
| Obfuscation | base64-piped-to-bash, eval with dynamic content |
| Package Smuggling | undisclosed npm/pip installs |
| Reconnaissance | network scanning, system info collection |

## Configuration

SkillGuard reads API credentials from `~/.openclaw/agents/main/agent/auth-profiles.json`.

Priority order:
1. Anthropic API key (direct) → uses Claude Opus
2. Anthropic token → uses Claude Opus
3. OpenRouter → uses Claude Opus via OpenRouter
4. DeepSeek → uses DeepSeek Chat

## Files

```
skillguard/
├── SKILL.md                    — OpenClaw skill manifest
├── README.md                   — This file
├── skillguard.py               — Main CLI script
└── prompts/
    └── security-analysis.txt   — LLM system prompt for security analysis
```

## Requirements

- Python 3.6+ (no external dependencies — uses stdlib only)
- OpenClaw with a configured LLM provider
- `clawhub` CLI for the `install` command

```

### _meta.json

```json
{
  "owner": "farnwickarglefax",
  "slug": "farnwick-skillguard",
  "displayName": "SkillGuard by Farnwick",
  "latest": {
    "version": "1.0.0",
    "publishedAt": 1771312824831,
    "commit": "https://github.com/openclaw/skills/commit/0715432449618fe359ea04eae00021610f0fddef"
  },
  "history": []
}

```