Command-line security analyzer for ClawHub skills. Run analyze-skill.sh to scan SKILL.md files for malicious patterns, credential leaks, and C2 infrastructure before installation. Includes threat inte
Real data. Real impact.
Emerging
Developers
Per week
Open source
Skills give you superpowers. Install in 30 seconds.
The Skill Security Auditor is a command-line tool that performs pattern-based security analysis of ClawHub skills before installation. Given the recent discovery of 341+ malicious skills (ClawHavoc campaign) that distributed Atomic Stealer (AMOS) and stole cryptocurrency credentials, this tool provides essential pre-installation threat detection.
What this skill provides:
analyze-skill.shpatterns/malicious-patterns.jsonHow to use it:
analyze-skill.shUse this tool when:
This tool does NOT:
Scans for known malicious patterns from the ClawHavoc campaign:
Identifies potential credential exposure vectors:
Analyzes skill dependencies for:
Checks for Command & Control indicators:
Verifies skill integrity:
Each analyzed skill receives a Risk Score (0-100):
This skill provides a bash script (
analyze-skill.sh# Install the skill from ClawHub npx clawhub install skill-security-auditorMake the analyzer executable
chmod +x ~/.openclaw/skills/skill-security-auditor/analyze-skill.sh
Optional: Create alias for convenience
echo 'alias audit-skill="~/.openclaw/skills/skill-security-auditor/analyze-skill.sh"' >> ~/.bashrc source ~/.bashrc
Method 1: Analyze by slug (automatic fetch from ClawHub)
~/.openclaw/skills/skill-security-auditor/analyze-skill.sh --slug bitcoin-trackerExample output:
============================================
SECURITY AUDIT REPORT
============================================
Risk Score: 85/100 - ☠️ CRITICAL
...
Method 2: Analyze local file
# Download skill first curl -s "https://clawhub.ai/api/skills/bitcoin-tracker/latest" > /tmp/skill.mdThen analyze
~/.openclaw/skills/skill-security-auditor/analyze-skill.sh --file /tmp/skill.md
# Scan all skills in your workspace for skill in ~/.openclaw/skills/*/SKILL.md; do echo "Checking: $(basename $(dirname $skill))" ~/.openclaw/skills/skill-security-auditor/analyze-skill.sh -f "$skill" done
# Fast grep-based pattern matching (no full analysis) grep -iE "(prerequisite.*download|91\.92\.242\.30|curl.*\|.*bash)" SKILL.md
Fake Prerequisites Section
.zip.exe.dmgKnown Malicious Infrastructure
91.92.242.30Credential Harvesting
(api[_-]?key|token|password)\s*[:=]\s*['\"][^'\"]+['\"]Unauthorized Code Execution
curl | bashwget | shSuspicious Dependencies
Obfuscation Techniques
Social Engineering Language
Verified Author
Transparent Dependencies
Code Quality
## Security Audit Report **Skill**: {skill-name} **Author**: {author} **Version**: {version} **Audit Date**: {date}Risk Score: {score}/100 - {RISK_LEVEL}
Critical Findings:
- {finding 1}
- {finding 2}
Warning Indicators:
- {warning 1}
- {warning 2}
Positive Indicators:
- {positive 1}
- {positive 2}
Recommendations:
{INSTALL | DO NOT INSTALL | REVIEW MANUALLY}
Detailed Analysis:
{Deep dive into specific concerns}
VirusTotal Link:
{If available from ClawHub}
Important: This skill does NOT directly access VirusTotal's API. Instead, VirusTotal integration is available through ClawHub's web interface via their partnership with VirusTotal.
To check VirusTotal results for a skill:
https://clawhub.ai/skills/{skill-slug}This analyzer focuses on pattern-based threat detection. It complements (but does not replace) ClawHub's VirusTotal scanning.
# Step 1: Pattern analysis (local) ~/.openclaw/skills/skill-security-auditor/analyze-skill.sh -s suspicious-skillStep 2: Visit ClawHub page for VirusTotal results
https://clawhub.ai/skills/suspicious-skill
Step 3: Manual review if needed
curl -s "https://clawhub.ai/api/skills/suspicious-skill/latest" > skill.md less skill.md
Scenario: User wants to install a skill called
solana-wallet-trackerStep 1: Run Security Analysis
$ ~/.openclaw/skills/skill-security-auditor/analyze-skill.sh -s solana-wallet-trackerFetching skill 'solana-wallet-tracker' from ClawHub... ✓ Skill fetched successfully
Analyzing skill content...
============================================ SECURITY AUDIT REPORT
Risk Score: 95/100 - ☠️ CRITICAL
============================================
☠️ CRITICAL FINDINGS: CLAW-001: Fake Prerequisites - ClawHavoc Campaign [+50 points] └─ Matches the ClawHavoc campaign pattern of fake prerequisites requesting malicious binary downloads CLAW-002: Known C2 Infrastructure [+50 points] └─ IP address used in ClawHavoc campaign for C2 communications
============================================ RECOMMENDATION: DO NOT INSTALL. Malicious patterns detected matching known attack campaigns.
Step 2: Decision
Step 3: Verify on ClawHub (optional)
# Visit skill page to check VirusTotal results open "https://clawhub.ai/skills/solana-wallet-tracker"
To minimize false positives:
ghThis skill:
✅ Security Audit Complete{skill-name} has been analyzed and appears SAFE to install.
Risk Score: {score}/100 (LOW)
No malicious patterns detected. The skill:
- Uses standard dependencies from trusted sources
- Has a verified author with {X} published skills
- Contains clear documentation with no obfuscation
- Requests appropriate permissions for its function
VirusTotal: {link}
Recommendation: Safe to proceed with installation.
🔴 Security Alert: HIGH RISK DETECTED{skill-name} has been flagged with CRITICAL security concerns.
Risk Score: {score}/100 (HIGH)
⚠️ Critical Findings: {detailed findings}
This skill matches patterns from the ClawHavoc malware campaign.
Recommendation: DO NOT INSTALL. Consider reporting this skill to ClawHub moderators.
Alternative safe skills: {suggestions}
Pattern Database Location:
~/.openclaw/security-auditor/patterns/malicious-patterns.jsonsafe-patterns.jsonioc-database.jsonUpdate Mechanism:
# Pull latest threat intelligence curl -s "https://openclaw-security.github.io/threat-intel/latest.json" \ > ~/.openclaw/security-auditor/patterns/ioc-database.json
Found a new malicious pattern? Submit IOCs to the OpenClaw Security Working Group:
⚠️ Important Disclaimers:
Remember: The best security is defense in depth. Use this skill as ONE layer of your security strategy, not the only layer.
Stay safe, stay skeptical, stay secure. 🦞🛡️
No automatic installation available. Please visit the source repository for installation instructions.
View Installation Instructions
1,500+ AI skills, agents & workflows. Install in 30 seconds. Part of the Torly.ai family.
© 2026 Torly.ai. All rights reserved.