🧪 Skills

Neckr0ik Security Scanner

Security audit tool for OpenClaw skills. Scans skill directories for common vulnerabilities including hardcoded secrets, unsafe shell commands, prompt inject...

v1.0.0
❤️ 0
⬇️ 86
👁 1
Save📁 Collect
Share

Description

name: neckr0ik-security-scanner version: 1.0.0 description: Security audit tool for OpenClaw skills. Scans skill directories for common vulnerabilities including hardcoded secrets, unsafe shell commands, prompt injection risks, unauthorized network access, and code execution dangers. Use when auditing skills before installation, reviewing skill code for security issues, or validating skills for ClawHub publication.

Skill Security Audit

Scan OpenClaw skills for security vulnerabilities before installation or publication.

Quick Start

# Audit a single skill
skill-security-audit audit /path/to/skill-folder

# Audit all installed skills
skill-security-audit audit-all

# Generate security report
skill-security-audit report /path/to/skill-folder --format json

What This Detects

Critical Issues (Block Installation)

Issue Description Risk Level
Hardcoded Secrets API keys, tokens, passwords in code Critical
Shell Injection Unsanitized input to shell commands Critical
Code Execution eval(), exec(), dynamic code execution Critical
Unauthorized Network Calls to unknown/suspicious domains Critical

High Issues (Review Required)

Issue Description Risk Level
Prompt Injection User input in system prompts without sanitization High
File Path Traversal Unchecked file paths from user input High
Excessive Permissions Requests unnecessary system access High

Medium Issues (Warnings)

Issue Description Risk Level
Outdated Dependencies Packages with known CVEs Medium
Unpinned Versions Floating dependency versions Medium
Missing License No license file for distribution Medium

Security Patterns

Good Pattern: Environment Variables

# CORRECT: Load secrets from environment
import os
api_key = os.environ.get("OPENAI_API_KEY")

Bad Pattern: Hardcoded Secrets

# DANGEROUS: Secret in code
api_key = "sk-abc123def456..."  # NEVER DO THIS

Good Pattern: Sanitized Input

# CORRECT: Validate and sanitize
import re
def safe_filename(name):
    return re.sub(r'[^a-zA-Z0-9_-]', '', name)

Bad Pattern: Shell Injection

# DANGEROUS: User input to shell
os.system(f"convert {user_file} output.png")  # NEVER DO THIS

Running Audits

Important: Self-Scan Results

When running skill-security-audit audit skill-security-audit/, you will see findings for the pattern definitions themselves. This is expected — the scanner detects the example patterns in its own documentation. These are not real vulnerabilities.

For actual skill audits, this produces accurate results.

Single Skill Audit

skill-security-audit audit ./my-skill/

Output:

  • Pass/Fail status
  • List of vulnerabilities found
  • Severity ratings
  • Remediation suggestions

Batch Audit (All Installed Skills)

skill-security-audit audit-all

Scans ~/.openclaw/skills/ and reports on all installed skills.

Report Formats

# JSON for CI/CD integration
skill-security-audit audit ./skill/ --format json

# Markdown for documentation
skill-security-audit audit ./skill/ --format markdown

# Summary for quick review
skill-security-audit audit ./skill/ --format summary

CI/CD Integration

Add to your skill publishing pipeline:

# .github/workflows/publish.yml
- name: Security Audit
  run: skill-security-audit audit ./skill/

Exit codes:

  • 0: No issues found
  • 1: Medium+ issues found (warnings)
  • 2: Critical issues found (block)

Publishing Secure Skills

Before publishing to ClawHub:

  1. Run skill-security-audit audit ./your-skill/
  2. Fix all critical and high issues
  3. Document any required secrets in README
  4. Include .env.example with placeholder values
  5. Re-run audit to confirm clean

See Also

  • references/vulnerabilities.md — Complete vulnerability database
  • references/remediation.md — How to fix common issues
  • scripts/audit.py — Main audit script

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k