🤖

ClawScan

Security scanner for ClawHub skills. Vet third-party skills before installation — detect dangerous patterns, suspicious code, and risky dependencies.

下载2.4k

星标2

版本2.0.0

general

安全通过

⚙️脚本

在 App 中使用在 ClawHub 查看 ↗

技能说明

name: skillguard version: 2.0.0 description: Security scanner for ClawHub skills. Vet third-party skills before installation — detect dangerous patterns, suspicious code, and risky dependencies. author: PaxSwarm license: MIT keywords: [security, audit, scan, vet, clawhub, skills, safety, moderation, vulnerability] triggers: ["skill security", "vet skill", "scan skill", "is this skill safe", "skillguard", "audit skill", "clawscan"]

🛡️ SkillGuard — ClawHub Security Scanner

"Trust, but verify."

ClawHub has no moderation process. Any agent can publish any skill. SkillGuard provides the security layer that's missing — scanning skills for dangerous patterns, vulnerable dependencies, and suspicious behaviors before they touch your system.

🚨 Why This Matters

Third-party skills can:

Risk	Impact
Execute arbitrary code	Full system compromise
Access your filesystem	Data theft, ransomware
Read environment variables	API key theft ($$$)
Exfiltrate data via HTTP	Privacy breach
Install malicious dependencies	Supply chain attack
Persist backdoors	Long-term compromise
Escalate privileges	Root access

One malicious skill = game over.

SkillGuard helps you catch threats before installation.

📦 Installation

clawhub install clawscan

Or manually:

git clone https://github.com/G0HEAD/skillguard
cd skillguard
chmod +x scripts/skillguard.py

Requirements

Python 3.8+
clawhub CLI (for remote scanning)

🚀 Quick Start

# Scan a skill BEFORE installing
python3 scripts/skillguard.py scan some-random-skill

# Scan a local folder (your own skills or downloaded)
python3 scripts/skillguard.py scan-local ./path/to/skill

# Audit ALL your installed skills
python3 scripts/skillguard.py audit-installed

# Generate detailed security report
python3 scripts/skillguard.py report some-skill --format markdown

# Check dependencies for known vulnerabilities
python3 scripts/skillguard.py deps ./path/to/skill

🔍 What SkillGuard Detects

🔴 CRITICAL — Block Installation

These patterns indicate serious security risks:

Category	Patterns	Risk
Code Execution	`eval()`, `exec()`, `compile()`	Arbitrary code execution
Shell Injection	`subprocess(shell=True)`, `os.system()`, `os.popen()`	Command injection
Child Process	`child_process.exec()`, `child_process.spawn()`	Shell access (Node.js)
Credential Theft	Access to `~/.ssh/`, `~/.aws/`, `~/.config/`	Private key/credential theft
System Files	`/etc/passwd`, `/etc/shadow`	System compromise
Recursive Delete	`rm -rf`, `shutil.rmtree('/')`	Data destruction
Privilege Escalation	`sudo`, `setuid`, `chmod 777`	Root access
Reverse Shell	Socket + subprocess patterns	Remote access
Crypto Mining	Mining pool URLs, `stratum://`	Resource theft

🟡 WARNING — Review Before Installing

These patterns may be legitimate but warrant inspection:

Category	Patterns	Concern
Network Requests	`requests.post()`, `fetch()` POST	Where is data going?
Environment Access	`os.environ`, `process.env`	Which variables?
File Writes	`open(..., 'w')`, `writeFile()`	What's being saved?
Base64 Encoding	`base64.encode()`, `btoa()`	Obfuscated payloads?
External IPs	Hardcoded IP addresses	Exfiltration endpoints?
Bulk File Ops	`shutil.copytree()`, `glob`	Mass data access?
Persistence	`crontab`, `systemctl`, `.bashrc`	Auto-start on boot?
Package Install	`pip install`, `npm install`	Supply chain risk

🟢 INFO — Noted But Normal

Category	Patterns	Note
File Reads	`open(..., 'r')`, `readFile()`	Expected for skills
JSON Parsing	`json.load()`, `JSON.parse()`	Data handling
Logging	`print()`, `console.log()`	Debugging
Standard Imports	`import os`, `import sys`	Common libraries

📊 Scan Output Example

╔══════════════════════════════════════════════════════════════╗
║              🛡️  SKILLGUARD SECURITY REPORT                  ║
╠══════════════════════════════════════════════════════════════╣
║  Skill:       suspicious-helper v1.2.0                       ║
║  Author:      unknown-user                                   ║
║  Files:       8 analyzed                                     ║
║  Scan Time:   2024-02-03 05:30:00 UTC                        ║
╚══════════════════════════════════════════════════════════════╝

📁 FILES SCANNED
────────────────────────────────────────────────────────────────
  ✓ SKILL.md                    (541 bytes)
  ✓ scripts/main.py             (2.3 KB)
  ✓ scripts/utils.py            (1.1 KB)
  ✓ scripts/network.py          (890 bytes)
  ✓ config.json                 (234 bytes)
  ✓ requirements.txt            (89 bytes)
  ✓ package.json                (312 bytes)
  ✓ install.sh                  (156 bytes)

🔴 CRITICAL ISSUES (3)
────────────────────────────────────────────────────────────────
  [CRIT-001] scripts/main.py:45
  │ Pattern:  eval() with external input
  │ Risk:     Arbitrary code execution
  │ Code:     result = eval(user_input)
  │
  [CRIT-002] scripts/utils.py:23
  │ Pattern:  subprocess with shell=True
  │ Risk:     Command injection vulnerability
  │ Code:     subprocess.run(cmd, shell=True)
  │
  [CRIT-003] install.sh:12
  │ Pattern:  Recursive delete with variable
  │ Risk:     Potential data destruction
  │ Code:     rm -rf $TARGET_DIR/*

🟡 WARNINGS (5)
────────────────────────────────────────────────────────────────
  [WARN-001] scripts/network.py:15  — HTTP POST to external URL
  [WARN-002] scripts/main.py:78     — Reads OPENAI_API_KEY
  [WARN-003] requirements.txt:3     — Unpinned dependency: requests
  [WARN-004] scripts/utils.py:45    — Base64 encoding detected
  [WARN-005] config.json            — Hardcoded IP: 192.168.1.100

🟢 INFO (2)
────────────────────────────────────────────────────────────────
  [INFO-001] scripts/main.py:10     — Standard file read operations
  [INFO-002] requirements.txt       — 3 dependencies declared

📦 DEPENDENCY ANALYSIS
────────────────────────────────────────────────────────────────
  requirements.txt:
    ⚠️  requests        (unpinned - specify version!)
    ✓  json            (stdlib)
    ✓  pathlib         (stdlib)

  package.json:
    ⚠️  axios@0.21.0   (CVE-2021-3749 - upgrade to 0.21.2+)

════════════════════════════════════════════════════════════════
                        VERDICT: 🚫 DANGEROUS
════════════════════════════════════════════════════════════════
  
  ⛔ DO NOT INSTALL THIS SKILL
  
  3 critical security issues found:
  • Arbitrary code execution via eval()
  • Command injection via shell=True
  • Dangerous file deletion pattern
  
  Manual code review required before any use.
  
════════════════════════════════════════════════════════════════

🎯 Commands Reference

`scan <skill-name>`

Fetch and scan a skill from ClawHub before installing.

skillguard scan cool-automation-skill
skillguard scan cool-automation-skill --verbose
skillguard scan cool-automation-skill --json > report.json

`scan-local <path>`

Scan a local skill directory.

skillguard scan-local ./my-skill
skillguard scan-local ~/downloads/untrusted-skill --strict

`audit-installed`

Scan all skills in your workspace.

skillguard audit-installed
skillguard audit-installed --fix  # Attempt to fix issues

`deps <path>`

Analyze dependencies for known vulnerabilities.

skillguard deps ./skill-folder
skillguard deps ./skill-folder --update-db  # Refresh vuln database

`report <skill> [--format]`

Generate detailed security report.

skillguard report suspicious-skill --format markdown > report.md
skillguard report suspicious-skill --format json > report.json
skillguard report suspicious-skill --format html > report.html

`allowlist <skill>`

Mark a skill as manually reviewed and trusted.

skillguard allowlist my-trusted-skill
skillguard allowlist --list  # Show all trusted skills
skillguard allowlist --remove old-skill

`watch`

Monitor for new skill versions and auto-scan updates.

skillguard watch --interval 3600  # Check every hour

⚙️ Configuration

Create ~/.skillguard/config.json:

{
  "severity_threshold": "warning",
  "auto_scan_on_install": true,
  "block_critical": true,
  "trusted_authors": [
    "official",
    "PaxSwarm",
    "verified-publisher"
  ],
  "allowed_domains": [
    "api.openai.com",
    "api.anthropic.com",
    "api.github.com",
    "clawhub.ai"
  ],
  "ignored_patterns": [
    "test_*.py",
    "*_test.js",
    "*.spec.ts"
  ],
  "custom_patterns": [
    {
      "regex": "my-internal-api\\.com",
      "severity": "info",
      "description": "Internal API endpoint"
    }
  ],
  "vuln_db_path": "~/.skillguard/vulns.json",
  "report_format": "markdown",
  "color_output": true
}

🔐 Security Levels

After scanning, skills are assigned a security level:

Level	Badge	Meaning	Recommendation
Verified	✅	Trusted author, no issues	Safe to install
Clean	🟢	No issues found	Likely safe
Review	🟡	Warnings only	Read before installing
Suspicious	🟠	Multiple warnings	Careful review needed
Dangerous	🔴	Critical issues	Do not install
Malicious	⛔	Known malware patterns	Block & report

🔄 Integration Workflows

Pre-Install Hook

# Add to your workflow
skillguard scan $SKILL && clawhub install $SKILL

CI/CD Pipeline

# GitHub Actions example
- name: Security Scan
  run: |
    pip install skillguard
    skillguard scan-local ./my-skill --strict --exit-code

Automated Monitoring

# Cron job for daily audits
0 9 * * * /path/to/skillguard audit-installed --notify

📈 Vulnerability Database

SkillGuard maintains a local database of known vulnerabilities:

# Update vulnerability database
skillguard update-db

# Check database status
skillguard db-status

# Report a new vulnerability
skillguard report-vuln --skill bad-skill --details "Description..."

Sources:

CVE Database (Python packages)
npm Advisory Database
GitHub Security Advisories
Community reports

🚫 Limitations

SkillGuard is a first line of defense, not a guarantee:

Limitation	Explanation
Obfuscation	Determined attackers can hide malicious code
Dynamic code	Runtime-generated code is harder to analyze
False positives	Legitimate code may trigger warnings
Zero-days	New attack patterns won't be detected
Dependencies	Deep transitive dependency scanning is limited

Defense in depth: Use SkillGuard alongside:

Sandboxed execution environments
Network monitoring
Regular audits
Principle of least privilege

🤝 Contributing

Found a dangerous pattern we missed? Help improve SkillGuard:

Add a Pattern

{
  "id": "CRIT-XXX",
  "regex": "dangerous_function\\(",
  "severity": "critical",
  "category": "code_execution",
  "description": "Dangerous function call",
  "cwe": "CWE-94",
  "remediation": "Use safe_alternative() instead",
  "file_types": [".py", ".js"]
}

Report False Positives

skillguard report-fp --pattern "WARN-005" --reason "Legitimate use case"

📜 Changelog

v2.0.0 (Current)

Comprehensive pattern database (50+ patterns)
Dependency vulnerability scanning
Multiple output formats (JSON, Markdown, HTML)
Configuration file support
Trusted author system
Watch mode for monitoring updates
Improved reporting with CWE references

v1.0.0

Initial release
Basic pattern detection
Local and remote scanning
Audit installed skills

📄 License

MIT License — Use freely, contribute back.

🛡️ Stay Safe

"In the agent ecosystem, trust is earned through transparency. Every skill you install is code you're choosing to run. Choose wisely. Verify always."

Built by PaxSwarm — protecting the swarm, one skill at a time 🐦‍⬛

Links:

如何使用「ClawScan」？

打开小龙虾AI（Web 或 iOS App）
点击上方「立即使用」按钮，或在对话框中输入任务描述
小龙虾AI 会自动匹配并调用「ClawScan」技能完成任务
结果即时呈现，支持继续对话优化