Skill Security Scanner
> Built by GetAgentIQ — [getagentiq.ai](https://getagentiq.ai)
Full-workspace security audit for installed OpenClaw skills. Catches what pre-install checks miss.
Quick Start
# Scan all installed skills
python3 scripts/scan-skills.py
# Scan a specific directory
python3 scripts/scan-skills.py --path /path/to/skills
# JSON output for automation
python3 scripts/scan-skills.py --format json
# Only show HIGH and CRITICAL findings
python3 scripts/scan-skills.py --min-severity high
What It Detects
Category 1: Code Injection (CRITICAL)
eval(),exec(),compile()with dynamic input__import__()for runtime module loadingimportlibdynamic imports- Template injection (
jinja2withEnvironment+ no sandbox)
Category 2: System Access (HIGH)
subprocess,os.system,os.popenshell commands- File system traversal (
../, absolute path writes outside workspace) - Environment variable harvesting (
os.environbulk read) - Process manipulation (
os.kill,signal)
Category 3: Network Exfiltration (CRITICAL)
- HTTP POST/PUT with environment variables or file contents
- Webhook/callback URLs with sensitive data
- DNS exfiltration patterns
- Base64 encoding of credentials before network send
Category 4: Credential Theft (CRITICAL)
- Patterns matching API keys, tokens, seeds, private keys
- Reading
.env, config files, SSH keys, wallet files - Keychain/credential store access attempts
Category 5: Persistence & Escalation (HIGH)
- Crontab modification
- Startup script injection
- SKILL.md self-modification
- Permission escalation requests
Category 6: Supply Chain (MEDIUM)
- Obfuscated code (base64-encoded payloads, hex-encoded strings)
- Minified/packed Python (single-line files >500 chars)
- Network fetches of remote code (
urllib+exec) - Pip install of unvetted packages at runtime
Report Format
═══════════════════════════════════════════
SKILL SECURITY SCAN REPORT
Scanned: 24 skills | 2026-03-28 08:15 UTC
═══════════════════════════════════════════
🔴 CRITICAL: crypto-helper
├─ [EXFIL] requests.post() sends os.environ data (line 47)
└─ [INJECT] eval() on user input (line 23)
🟡 HIGH: file-manager
└─ [SYSTEM] subprocess.call with shell=True (line 89)
🟢 PASS: weather (0 findings)
🟢 PASS: github (0 findings)
─────────────────────────────────────────
SUMMARY: 2 CRITICAL | 1 HIGH | 0 MEDIUM | 21 CLEAN
ACTION: Remove crypto-helper immediately. Review file-manager.
Parameters
| Parameter | Default | Description |
|-----------|---------|-------------|
| --path | ~/.openclaw/workspace/skills | Directory to scan |
| --format | text | Output format: text, json, markdown |
| --min-severity | low | Minimum severity to report: low, medium, high, critical |
| --exclude | none | Comma-separated skill names to skip |
| --verbose | false | Show matched code snippets |
Integration with Existing Tools
- Complements
skill-security-validator(pre-install single-skill check) - Feeds into
skill-health-monitorfor ongoing monitoring - JSON output can pipe into CI/CD or cron-based scheduled scans