Can I automate security scans during installation?

Yes, you can configure the scanner in your config.json to automatically run every time you install or update a new skill.

How are risk levels categorized?

Risks are ranked from Critical (direct credential leaks, RCE) to High, Medium, Low, and Info (best practices and quality suggestions).

What types of threats does Claw Security Scanner detect?

It detects hidden backdoors, remote code execution vulnerabilities, hardcoded secrets (API keys/tokens), insecure dependencies, and excessive file or network permissions.

Does this skill support non-Python code?

Yes, the detection engine supports Python, JavaScript/TypeScript, Shell scripts, and various configuration formats like YAML, JSON, and TOML.

Claw Security Scanner

Name: Claw Security Scanner
Author: dvcrn

bydvcrn

•

安全与测试

Protects your AI development environment by automatically scanning OpenClaw skills for malicious code, credential leaks, and vulnerabilities.

Claw Security Scanner is a comprehensive security auditing tool designed specifically to mitigate supply chain risks within the OpenClaw ecosystem. It performs multi-layered inspections on skill files, utilizing static code analysis, dependency vulnerability checks, and heuristic algorithms to identify hidden backdoors, hardcoded API keys, and over-privileged access requests. By providing detailed risk assessments and automated fix suggestions, it ensures that developers and enterprises can leverage third-party Claude skills without compromising their system integrity or sensitive data.

主要功能

015 GitHub stars

02Comprehensive credential scanning for API keys, tokens, and sensitive .env data

03Multi-engine detection including AST analysis and heuristic pattern matching

04Dependency security audits to identify outdated packages and known CVEs

05Dynamic behavior analysis using sandbox environments to monitor network and file access

06Automated reporting system with interactive HTML, JSON, and console outputs

使用场景

01Performing periodic security posture assessments on all installed AI extensions

02Integrating automated security audits into CI/CD pipelines for skill developers

03Vetting community-contributed skills before installation to prevent supply chain attacks

主要功能

015 GitHub stars

02Comprehensive credential scanning for API keys, tokens, and sensitive .env data

03Multi-engine detection including AST analysis and heuristic pattern matching

04Dependency security audits to identify outdated packages and known CVEs

05Dynamic behavior analysis using sandbox environments to monitor network and file access

06Automated reporting system with interactive HTML, JSON, and console outputs

使用场景

01Performing periodic security posture assessments on all installed AI extensions

02Integrating automated security audits into CI/CD pipelines for skill developers

03Vetting community-contributed skills before installation to prevent supply chain attacks