🧪 Skills

OpenClaw Skill Generator & Security Scanner

Generate and security-scan OpenClaw SKILL.md files. Use when creating new OpenClaw skills, scanning skills for security vulnerabilities like prompt injection...

v1.0.0
❤️ 0
⬇️ 22
👁 2
Save📁 Collect
Share

Description

name: openclaw-skill-tools description: Generate and security-scan OpenClaw SKILL.md files. Use when creating new OpenClaw skills, scanning skills for security vulnerabilities like prompt injection or data exfiltration, auditing ClawHub skills before installation, or building agent skill packages. version: 1.0.0 homepage: https://portal.toolweb.in metadata: openclaw: emoji: "🦞" requires: env: - TOOLWEB_API_KEY bins: - curl primaryEnv: TOOLWEB_API_KEY os: - linux - darwin - win32 category: security

OpenClaw Skill Generator & Security Scanner 🦞🔧

Two-in-one tool for the OpenClaw ecosystem: (1) Generate professional SKILL.md files from a description, and (2) Security-scan existing skills for prompt injection, data exfiltration, credential theft, permission abuse, and scope creep. Essential for both skill authors and users who want to vet skills before installing.

Built by a CISSP/CISM certified security professional at ToolWeb.in

When to Use

Skill Generator:

  • User wants to create a new OpenClaw skill
  • User asks to generate a SKILL.md file
  • User needs help packaging an automation as an OpenClaw skill

Security Scanner:

  • User wants to scan a skill before installing
  • User asks to audit a ClawHub skill for safety
  • User mentions skill security, malicious skills, or ClawHavoc
  • User wants to check a SKILL.md for prompt injection or data exfiltration

Prerequisites

  • TOOLWEB_API_KEY — Get your API key from portal.toolweb.in
  • curl must be available on the system

API Endpoints

Generate Skill:

POST https://portal.toolweb.in/apis/tools/openclaw

Path: /generate-skill

Scan Skill:

POST https://portal.toolweb.in/apis/tools/openclaw

Path: /scan-skill

Workflow — Generate Skill

  1. Gather inputs:

    • name — Skill name in kebab-case (e.g., "my-awesome-skill")
    • description — What the skill does (used for agent activation)
    • detail — Extended description with more context (optional)
    • triggers — List of trigger phrases, e.g., ["when user asks to...", "when user mentions..."] (optional)
    • primary_env — Main environment variable needed (optional, e.g., "MY_API_KEY")
    • env_vars — Additional env vars needed (optional)
    • bins — Required CLI binaries (optional, e.g., ["curl", "jq"])
    • version — Version string (default: "1.0.0")

  2. Call the API:

curl -s -X POST "https://portal.toolweb.in/apis/tools/openclaw" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $TOOLWEB_API_KEY" \
  -d '{
    "name": "<skill-name>",
    "description": "<what it does>",
    "detail": "<extended description>",
    "triggers": ["<trigger1>", "<trigger2>"],
    "primary_env": "<ENV_VAR>",
    "env_vars": ["<VAR1>", "<VAR2>"],
    "bins": ["curl"],
    "version": "1.0.0"
  }'
  1. Present the generated SKILL.md content to the user.

Workflow — Scan Skill

  1. Get the skill content:

    • content — The full SKILL.md text to scan
    • scan_depth — "quick", "standard", or "deep" (default: "deep")
    • context — Additional context about the skill (optional)

    Security checks (all true by default):

    • check_injection — Scan for prompt injection patterns
    • check_exfil — Scan for data exfiltration attempts
    • check_creds — Scan for credential harvesting
    • check_perms — Scan for excessive permission requests
    • check_meta — Scan metadata for anomalies
    • check_scope — Scan for scope creep beyond stated purpose

  2. Call the API:

curl -s -X POST "https://portal.toolweb.in/apis/tools/openclaw" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $TOOLWEB_API_KEY" \
  -d '{
    "content": "<full SKILL.md content>",
    "scan_depth": "deep",
    "check_injection": true,
    "check_exfil": true,
    "check_creds": true,
    "check_perms": true,
    "check_meta": true,
    "check_scope": true
  }'
  1. Present the security findings with severity and recommendations.

Output Format — Generate

🦞 OpenClaw Skill Generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━

Name: [skill-name]
Version: [version]

[Full SKILL.md content ready to save]

📋 Next steps:
1. Save as ~/.openclaw/skills/[name]/SKILL.md
2. Test with your agent
3. Publish: clawhub publish . --version 1.0.0

Output Format — Scan

🔍 Skill Security Scan Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Scan Depth: [deep/standard/quick]

🔴 CRITICAL Findings:
  [List critical security issues]

🟠 HIGH Findings:
  [List high-severity issues]

🟡 MEDIUM Findings:
  [List medium issues]

✅ Passed Checks:
  [List clean checks]

🛡️ Recommendation: [SAFE / CAUTION / DO NOT INSTALL]

📎 Scan powered by ToolWeb.in

Error Handling

  • If TOOLWEB_API_KEY is not set: Tell the user to get an API key from https://portal.toolweb.in
  • If the API returns 401: API key is invalid or expired
  • If the API returns 422: Check required fields
  • If the API returns 429: Rate limit exceeded — wait and retry after 60 seconds

Example Interactions

Generate:

User: "Create an OpenClaw skill that monitors GitHub PRs and notifies me on Telegram"

Agent: I'll generate the SKILL.md for you...
[Calls /generate-skill with name, description, triggers]
[Returns complete SKILL.md]

Scan:

User: "Scan this skill before I install it: [pastes SKILL.md content]"

Agent: I'll run a deep security scan...
[Calls /scan-skill with content]
[Returns findings: prompt injection risk, data exfiltration check, etc.]

Pricing

  • API access via portal.toolweb.in subscription plans
  • Free trial: 10 API calls/day, 50 API calls/month to test the skill
  • Developer: $39/month — 20 calls/day and 500 calls/month
  • Professional: $99/month — 200 calls/day, 5000 calls/month
  • Enterprise: $299/month — 100K calls/day, 1M calls/month

About

Created by ToolWeb.in — a security-focused MicroSaaS platform with 200+ security APIs, built by a CISSP & CISM certified professional. Trusted by security teams in USA, UK, and Europe and we have platforms for "Pay-per-run", "API Gateway", "MCP Server", "OpenClaw", "RapidAPI" for execution and YouTube channel for demos.

Related Skills

  • AgentVulnly — AI Agent Vulnerability Scanner — Scan agent architecture
  • AgentSecly — AI Agent Security Advisory — Threat advisory with MITRE mapping
  • Web Vulnerability Assessment — Web app security scanning

Tips

  • Always scan third-party skills before installing — the ClawHavoc incident showed 341+ malicious skills on ClawHub
  • Use deep scan for skills from unknown authors
  • Generate skills instead of writing manually to ensure proper frontmatter format
  • The scanner checks for the same patterns found in the ClawHavoc malware campaign
  • Combine with AgentVulnly to assess both skill safety and agent architecture security

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k