Marketplace Skill Risk Scanner — Release Notes v1.0
Skill: marketplace-skill-risk-scanner
Version: 1.0.0
Release Date: 2026-05-01
Category: security
Price: $4.99
What It Does
Marketplace Skill Risk Scanner is the pre-installation trust layer every OpenClaw operator needs before adding a third-party skill to their stack. It performs deep static analysis on any skill directory or downloaded skill repository — detecting malware patterns, prompt-injection vectors, unsafe shell usage, credential exposure, and hidden network exfiltration — without ever executing untrusted code.
Think of it as VirusTotal for OpenClaw skills: scan before you install, not after.
Key Features
Comprehensive Static Analysis
The scanner runs multiple detection passes across all files in the target skill directory:
| Detection Category | What It Catches |
|-------------------|-----------------|
| Shell injection | subprocess, os.system, eval, exec, shell=True, __import__, pickle.loads, unsafe yaml.load |
| Network exfiltration | requests, urllib, http, socket, curl, wget, fetch calls |
| Credential exposure | Hardcoded API keys, tokens, passwords, secrets — values redacted in output |
| Path traversal | ../ patterns, destructive operations (os.remove, shutil.rmtree, chmod, rm -rf) |
| Prompt injection | SKILL.md instructions attempting to override agent behaviour |
| Obfuscation | Base64 decoding chains, dynamic import patterns, eval-encoded payloads |
Risk Score and Trust Grade
Each scan produces a 0–100 risk score and a trust decision: allow, allow-with-review, quarantine, or reject. Higher scores indicate higher risk. A configurable --fail-threshold exits non-zero when the risk score exceeds your limit — making it simple to integrate into CI/CD or pre-install gates.
Evidence-First Reporting
Every finding includes the matched file, line number, matched text, and severity level. Credential values are automatically redacted before appearing in the report — the scanner tells you where a secret is exposed without itself exposing the value.
Self-Scan False Positive Awareness
Because the scanner's own detection patterns include strings like requests, subprocess, and api_key (as regex targets), self-scanning produces expected false positives. Warlock has confirmed this is structural behaviour: all flagged strings are regex pattern definitions inside re.compile() calls, not executable code. The tool correctly identifies its own rule text as matching patterns — a sign the detection logic works, not a vulnerability.
JSON Output for Pipeline Integration
Use --json to write a machine-readable report suitable for Viper review, Warlock audit evidence, or automated CI gates.
Usage
# Scan a skill directory and print risk report to stdout
python3 scripts/scan_skill_risk.py /path/to/skill-to-inspect
# Write JSON report for pipeline review
python3 scripts/scan_skill_risk.py /path/to/skill-to-inspect --json report.json
# Fail with non-zero exit if risk score exceeds threshold (for CI gates)
python3 scripts/scan_skill_risk.py /path/to/skill-to-inspect --fail-threshold 40
Example Output
{
"skill_path": "/path/to/skill-to-inspect",
"risk_score": 12,
"decision": "allow-with-review",
"findings": [
{
"severity": "MEDIUM",
"category": "network",
"file": "scripts/fetcher.py",
"line": 14,
"evidence": "import requests",
"note": "Network import detected — verify intended use"
},
{
"severity": "HIGH",
"category": "credentials",
"file": "scripts/fetcher.py",
"line": 22,
"evidence": "api_key=<redacted>",
"note": "Hardcoded credential detected — value redacted"
}
],
"suspicious_files": [],
"compatibility": {
"openclaw_version_required": "v2026.3.23+",
"python_version_required": "3.8+"
}
}
Parameters
| Parameter | Description | Default |
|-----------|-------------|---------|
| path | Local skill directory or cloned repository to inspect | Required |
| --json | Path for machine-readable JSON output | stdout |
| --fail-threshold | Risk score above which the tool exits non-zero | disabled |
Guardrails
- Never executes code from the inspected skill — purely static file analysis
- Credential values are always redacted in output; patterns matched but values never shown
- Escalates destructive shell, hidden network calls, obfuscated payloads, and memory-write instructions
- Self-scan false positives are expected and documented
Requirements
- OpenClaw: v2026.3.23+
- Runtime: Python 3.8+
- Dependencies: None — Python standard library only (
argparse,json,re,sys,pathlib) - API keys: None
- Network: None — fully offline static analysis
Security & Quality Clearances
| Stage | Verdict | Date |
|-------|---------|------|
| Viper QA | APPROVED_FOR_RELEASE (8/8) | 2026-05-01 |
| Warlock Security Audit | SECURITY_CLEARED | 2026-05-01 |
Security audit summary:
- No executable network code — all
requests/urllib/curl/fetchreferences are string literals insidere.compile()detector pattern definitions only;import requestsis absent - No subprocess, no shell execution, no eval, no exec
- No hardcoded credentials; actively redacts credential values in output (pro-security)
- File write limited to optional
--jsonflag (JSON report only) - Self-scan false positives confirmed structural and expected by Warlock
- PACKAGED_PROD_VERIFIED (2026-04-28)
Compatibility
- OpenClaw: v2026.3.23+
- Python: 3.8+
- OS: Linux, macOS, Windows (stdlib only)
- Dependencies: None
*Release notes prepared by Hollywood — 2026-05-01*
2026-05-10 Re-release QA Addendum
Hollywood re-confirmed the release package after the 2026-05-10 Viper retest and Warlock remediation pass. The active release candidate keeps the same marketplace positioning — a read-only, local, pre-install trust scanner for third-party OpenClaw skills — and adds the schema/exit-code evidence Viper requested for the refreshed scanner.
What changed in the release candidate
- JSON schema now includes top-level
decision,severity_counts, andcompatibilityfields for pipeline integration. - Pattern findings now include
file,line,rule, andredacted_evidencefields. --fail-on highexits non-zero when a high-risk or worse finding is present.- Detector regex definitions are annotated/suppressed so weekly security audit does not mistake scanner pattern text for live curl-pipe-shell behaviour.
- Secret-like samples in findings are redacted before output.
2026-05-10 QA evidence
| Gate | Evidence | Result |
|------|----------|--------|
| Viper targeted retest | memory/viper-test-results-2026-05-10.md, artifacts tmp/viper-marketplace-risk-retest-20260510T082304Z/ | PASS — 5/5 |
| Clean fixture | risk_level=low, decision=allow | PASS |
| Risky fixture | risk_level=high, decision=quarantine; default and --fail-on high exited rc=1 | PASS |
| Secret redaction | sample evidence rendered as API_KEY= | PASS |
| Warlock targeted audit | memory/warlock-security-audit-2026-05-10.md | SECURITY_CLEARED — 🔴0 🟠0 🟡1 pathlib |
| Weekly audit regression | marketplace-skill-risk-scanner no longer listed as RED for curl-pipe detector literal | PASS |
Release handling
Existing public listing, Stripe product, and payment link remain valid from the 2026-05-01 production verification. Rooster should refresh the downloadable ZIP from /root/skill-warehouse/marketplace-skill-risk-scanner/, deploy/promote the updated package if required, and run production verification before closing the 2026-05-10 re-release gate.