Skill Sentinel - Skill Security Scanner
LiveA watchtower for Skill security before install time
OpenClawAudit
Skill Sentinel - Skill Security Scanner
Published on ClawHub as skill-sentinel.
Protect your OpenClaw environment from malicious Skills.
The Problem
ClawHub is open for anyone to upload Skills. This creates a supply chain attack surface:
- Malicious scripts disguised as helpful tools
- Social engineering tricks ("please copy and run this command")
- Hidden network callbacks
- Obfuscated code
The Solution
Skill Sentinel scans Skills before installation:
- Static Analysis - Examine SKILL.md and scripts without execution
- Pattern Detection - Match against known attack signatures
- Risk Scoring - Clear Safe/Caution/Avoid ratings
- Evidence - Specific line numbers and explanations
Risk Categories
| Level | Description | Action |
|---|---|---|
| π’ Safe | No suspicious patterns found | Install freely |
| π‘ Caution | Some risky patterns detected | Review before install |
| π΄ Avoid | High-risk patterns detected | Do not install |
Integration
# CLI usage
npx clawshield scan ./my-skill
# GitHub Action
- uses: bubustudio/clawshield-action@v1
Roadmap
- Core scanner engine
- CLI tool
- GitHub Action
- IDE extension
- Real-time ClawHub integration
Trust LayerΒ·Community Profile
Trust Layer
Data handling is explicit
Open and auditable workflow
Runtime boundaries are transparent
Risk Note
Third-party skills may include hidden network calls or unsafe install scripts. Scan before use.