AgentSkillsCN

skillvet

ClawHub/社区技能的安全扫描器——在您安装技能之前,即可检测恶意软件、凭证窃取、数据外泄、提示注入、混淆攻击、同形异义攻击、ANSI 注入、特定活动的攻击模式等威胁。当您从 ClawHub 或任何公开市场安装技能,或在审查第三方智能体技能以确保安全,又或在将不信任的代码交付给 AI 代理之前对其进行严格审核时,可使用此技能。触发词包括:install skill、audit skill、check skill、vet skill、skill security、safe install、is this skill safe。

SKILL.md
--- frontmatter
name: skillvet
version: 2.0.7
description: Security scanner for ClawHub/community skills — detects malware, credential theft, exfiltration, prompt injection, obfuscation, homograph attacks, ANSI injection, campaign-specific attack patterns, and more before you install. Use when installing skills from ClawHub or any public marketplace, reviewing third-party agent skills for safety, or vetting untrusted code before giving it to your AI agent. Triggers: install skill, audit skill, check skill, vet skill, skill security, safe install, is this skill safe.

Skillvet

Security scanner for agent skills. 37 critical checks, 8 warning checks. No dependencies — just bash and grep. Includes Tirith-inspired detection patterns, campaign signatures from Koi Security research, and 1Password blog ClickFix patterns.

Usage

Safe install (installs, audits, auto-removes if critical):

bash
bash skills/skillvet/scripts/safe-install.sh <skill-slug>

Audit an existing skill:

bash
bash skills/skillvet/scripts/skill-audit.sh skills/some-skill

Audit all installed skills:

bash
for d in skills/*/; do bash skills/skillvet/scripts/skill-audit.sh "$d"; done

JSON output (for automation):

bash
bash skills/skillvet/scripts/skill-audit.sh --json skills/some-skill

Summary mode (one-line per skill):

bash
bash skills/skillvet/scripts/skill-audit.sh --summary skills/some-skill

Exit codes: 0 clean, 1 warnings only, 2 critical findings.

Critical Checks (auto-blocked)

Core Security Checks (1-24)

#CheckExample
1Known exfiltration endpointswebhook.site, ngrok.io, requestbin
2Bulk env variable harvestingprintenv |, ${!*@}
3Foreign credential accessANTHROPIC_API_KEY, TELEGRAM_BOT_TOKEN in scripts
4Code obfuscationeval(), base64 decode, hex escapes
5Path traversal / sensitive files../../, ~/.ssh, ~/.clawdbot
6Data exfiltration via curl/wgetcurl --data, wget --post with variables
7Reverse/bind shells/dev/tcp/, nc -e, socat
8.env file theftdotenv loading in scripts (not docs)
9Prompt injection in markdown"ignore previous instructions" in SKILL.md
10LLM tool exploitationInstructions to send/email secrets
11Agent config tamperingWrite/modify AGENTS.md, SOUL.md, clawdbot.json
12Unicode obfuscationZero-width chars, RTL override, bidi control chars
13Suspicious setup commandscurl piped to bash in SKILL.md
14Social engineeringDownload external binaries, paste-and-run instructions
15Shipped .env files.env files (not .example) in the skill
16Homograph URLs (Tirith)Cyrillic і vs Latin i in hostnames
17ANSI escape sequences (Tirith)Terminal escape codes in code/data files
18Punycode domains (Tirith)xn-- prefixed IDN-encoded domains
19Double-encoded paths (Tirith)%25XX percent-encoding bypass
20Shortened URLs (Tirith)bit.ly, t.co, tinyurl.com hiding destinations
21Pipe-to-shellcurl | bash (HTTP and HTTPS)
22String construction evasion'cu' + 'rl', String.fromCharCode, getattr(os,...)
23Data flow chain analysisSame file reads secrets, encodes, AND sends network requests
24Time bomb detectionDate.now() > timestamp, setTimeout(fn, 86400000)

Campaign-Inspired Checks (25-34)

Inspired by Koi Security research which found 341 malicious skills on ClawHub.

#CheckExample
25Known C2/IOC IP blocklist91.92.242.30, 54.91.154.110 (known AMOS C2 servers)
26Password-protected archives"extract using password: openclaw" — AV evasion
27Paste service payloadsglot.io, pastebin.com hosting malicious scripts
28GitHub releases binary downloadsFake prerequisites pointing to .zip/.exe on GitHub
29Base64 pipe-to-interpreterecho '...' | base64 -D | bash — primary macOS vector
30Subprocess + network commandsos.system("curl ...") — hidden pipe-to-shell in code
31Fake URL misdirection (warning)echo "https://apple.com/setup" decoy before real payload
32Process persistence + networknohup curl ... & — backdoor with network access
33Fake prerequisite pattern"Prerequisites" section with sketchy external downloads
34xattr/chmod droppermacOS Gatekeeper bypass: download → xattr -cchmod +x → execute

1Password Blog-Inspired Checks (35-37)

Inspired by 1Password research on ClickFix-style attacks targeting agent skills.

#CheckExample
35ClickFix download+execute chaincurl -o /tmp/x && chmod +x && ./x, open -a with downloads
36Suspicious package sourcespip install git+https://..., npm from non-official registries
37Staged installer patternFake dependency names like openclaw-core, some-lib

Severity Changes (v0.5.0)

  • Raw IP URLs upgraded from WARNING → CRITICAL (malicious C2s commonly use raw IPs)
  • Pipe-to-shell now catches both HTTP and HTTPS (not just insecure HTTP)

Warning Checks (flagged for review)

#CheckExample
W1Unknown external tool requirementsNon-standard CLI tools in install instructions
W2Subprocess executionchild_process, exec(), os.system
W3Network requestsaxios, fetch, requests imports
W4Minified/bundled filesFirst line >500 chars — can't audit
W5Filesystem write operationswriteFile, open('w'), fs.append
W6Insecure transportcurl -k, verify=False — TLS disabled
W7Docker untrusted registriesNon-standard image sources

Optional: Tirith Integration

If the tirith binary is available on PATH, the scanner will additionally extract all URLs from code files and run tirith check against each unique hostname for deeper homograph/IDN analysis. This is purely additive — the scanner works fine without tirith installed.

IOC Updates

The C2 IP blocklist in check #25 is based on known indicators from:

To update IOCs, edit the KNOWN_BAD_IPS variable in scripts/skill-audit.sh.

Limitations

Static analysis only. English-centric prompt injection patterns. Minified JS is flagged but not deobfuscated. A clean scan raises the bar but doesn't guarantee safety.

The scanner flags itself when audited — its own patterns contain the strings it detects. This is expected.