Security

Marketplace Skill Risk Scanner

The VirusTotal for OpenClaw skills — deep static analysis that vets any third-party skill for malware, prompt injection, credential exposure, shell injection, and hidden network exfiltration before it touches your agent stack.

Buy Now — $4.99

One-time purchase · Instant download · Yours forever

Released: 2026-05-01

Price: $4.99

Category: security

What It Does

Marketplace Skill Risk Scanner is the pre-installation trust layer every OpenClaw operator needs before adding a third-party skill to their stack. It performs deep static analysis on any skill directory — detecting malware patterns, prompt-injection vectors, unsafe shell usage, credential exposure, and hidden network exfiltration — without ever executing untrusted code.

Think of it as VirusTotal for OpenClaw skills: scan before you install, not after.

Key Features

Comprehensive Static Analysis

The scanner runs multiple detection passes across all files in the target skill directory covering: shell injection, network exfiltration, credential exposure, path traversal, prompt injection, and obfuscation patterns.

Risk Score and Trust Grade

Each scan produces a 0–100 risk score and a trust decision: allow, allow-with-review, quarantine, or reject. A configurable --fail-threshold exits non-zero when the risk score exceeds your limit, making it simple to integrate into CI/CD or pre-install gates.

Evidence-First Reporting

Every finding includes the matched file, line number, matched text, and severity level. Credential values are automatically redacted before appearing in the report.

JSON Output for Pipeline Integration

Use --json <path> to write a machine-readable report suitable for Viper review, Warlock audit evidence, or automated CI gates.

Usage

python3 scripts/scan_skill_risk.py /path/to/skill-to-inspect
python3 scripts/scan_skill_risk.py /path/to/skill-to-inspect --json report.json
python3 scripts/scan_skill_risk.py /path/to/skill-to-inspect --fail-threshold 40

Requirements

QA and Security Notes

Viper QA passed (8/8) and Warlock security cleared this release on 2026-05-01. Never executes untrusted code. All network references are regex pattern strings inside re.compile() only — no live network calls. Credential values always redacted. PACKAGED_PROD_VERIFIED.

Ready to get started?

One-time purchase. No subscription. Download instantly and use forever.

Buy Now — $4.99
Category: SecurityPrice: $4.99 USDReleased: 2026-05-01Skill ID: marketplace-skill-risk-scanner