🧪 Skills

Safe-Skill

Programmatic security scanner for AI agent skills. Performs AST analysis, regex pattern matching, Shannon entropy detection, URL/IP extraction, and permissio...

v1.0.0
❤️ 0
⬇️ 7
👁 1
Save📁 Collect
Share

Description

name: safe-skill version: 1.0.0 description: > Programmatic security scanner for AI agent skills. Performs AST analysis, regex pattern matching, Shannon entropy detection, URL/IP extraction, and permission scope inference — with Markdown context awareness to reduce false positives. Use before installing any skill from ClawHub, GitHub, or untrusted sources. Trigger: "scan this skill", "vet this skill", "is this skill safe", "check skill security", "审查这个skill", "扫描skill安全性", "这个skill安全吗".

Safe-Skill

Programmatic security scanner for AI agent skills. Unlike prompt-only vetting checklists, this skill includes an automated scanner (scripts/scan.py) that performs real static analysis. Zero external dependencies. Runs anywhere Python 3.8+ is available.

Quick Start

# Scan a local skill directory
python3 {baseDir}/scripts/scan.py /path/to/skill-directory

# Scan a single file
python3 {baseDir}/scripts/scan.py /path/to/SKILL.md

# JSON output for machine consumption
python3 {baseDir}/scripts/scan.py /path/to/skill --json

# Save report to file
python3 {baseDir}/scripts/scan.py /path/to/skill -o report.txt

# Verbose mode (show clean files too)
python3 {baseDir}/scripts/scan.py /path/to/skill -v

# With explicit whitelist config
python3 {baseDir}/scripts/scan.py /path/to/skill -w /path/to/.vetterrc

Remote Fetch + Scan

# GitHub URL
python3 {baseDir}/scripts/fetch_and_scan.py https://github.com/openclaw/skills/tree/main/skills/someone/cool-skill

# ClawHub slug
python3 {baseDir}/scripts/fetch_and_scan.py clawhub:author/skill-name

# GitHub shorthand
python3 {baseDir}/scripts/fetch_and_scan.py github:openclaw/skills/skills/author/skill-name

What It Scans

The scanner runs five analysis passes on every file in a skill:

Pass 1: Pattern Matching (65+ rules)

Regex-based detection across 10 categories: RCE, data exfiltration, credential access, obfuscation, privilege escalation, agent identity theft, persistence/backdoor, suspicious network, filesystem abuse, and runtime package installation.

Pass 2: Python AST Analysis

For .py files, parses the Abstract Syntax Tree to detect patterns regex cannot — e.g. eval(dynamic_var) vs eval("literal"), only flagging the dangerous one.

Pass 3: Shannon Entropy Detection

Catches encoded payloads (base64, hex, encrypted blobs) that evade keyword-based detection.

Pass 4: URL / IP Extraction

Extracts all URLs and hardcoded IPs, classifying each by risk level.

Pass 5: Permission Scope Inference

Automatically extracts what the skill accesses: files, network, commands, env vars, packages.

Markdown Context Awareness

Security documentation describes the very patterns it warns against. Safe-Skill parses Markdown structure and automatically downgrades findings under documentation headings (containing words like "red flag", "warning", "reject", "danger", etc.) — dramatically reducing false positives for security-related skills.

Whitelist Configuration (.vetterrc)

Place a .vetterrc in the skill directory to suppress known-good patterns. See .vetterrc.example.

Risk Scoring

Quantitative scoring (0-100+):

Score Level Verdict
0 CLEAN Safe to install
1-15 LOW Safe to install
16-40 MEDIUM Install with caution
41-80 HIGH Human review required
81+ EXTREME Do not install

Exit codes: 0 = CLEAN/LOW, 1 = MEDIUM, 2 = HIGH/EXTREME.

Workflow for the Agent

When asked to vet a skill:

  1. Run the scanner: python3 {baseDir}/scripts/scan.py <target_path>
    • For remote skills, use: python3 {baseDir}/scripts/fetch_and_scan.py <url_or_slug>
  2. Review the report: Focus on critical/high severity items NOT marked [DOC].
  3. Cross-reference: For MEDIUM+ findings, read the flagged lines and assess context.
  4. Recommend: Provide a final recommendation based on scan results + contextual review.

Limitations

  • Static analysis only — no sandboxing or dynamic execution tracing
  • No network reputation lookup — URL risk is heuristic
  • Regex limits — creative obfuscation can evade; AST helps for Python only
  • False positives — legitimate skills using subprocess, network calls will trigger findings

Zero external dependencies. Runs anywhere Python 3.8+ is available.

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k