skill-security-auditor

# Skill Security Auditor

## Description

The Skill Security Auditor is a **command-line tool** that performs pattern-based security analysis of ClawHub skills before installation. Given the recent discovery of 341+ malicious skills (ClawHavoc campaign) that distributed Atomic Stealer (AMOS) and stole cryptocurrency credentials, this tool provides essential pre-installation threat detection.

**What this skill provides:**
- ✅ Bash script (`analyze-skill.sh`) for local security analysis
- ✅ Threat intelligence database (`patterns/malicious-patterns.json`)
- ✅ Pattern matching against 20+ known malicious indicators
- ✅ Risk scoring system (0-100 scale)
- ✅ Detailed audit reports with recommendations

**How to use it:**
1. Install this skill from ClawHub
2. Run the `analyze-skill.sh` script against any skill (by slug or local file)
3. Review the risk assessment and findings
4. Make informed decision about installation

**Use this tool when:**
- About to install a new skill from ClawHub
- Investigating suspicious skill behavior  
- Performing security due diligence on community skills
- Auditing your currently installed skills

**This tool does NOT:**
- ❌ Automatically scan skills (you run it manually)
- ❌ Block installations (it's advisory only)
- ❌ Access VirusTotal API (use ClawHub's web interface for that)
- ❌ Guarantee 100% detection (defense in depth recommended)

## Core Capabilities

### 1. **Malicious Pattern Detection**
Scans for known malicious patterns from the ClawHavoc campaign:
- Fake prerequisite installations (openclaw-agent.zip, openclaw-setup.exe)
- Suspicious download commands in SKILL.md
- Hidden payload execution in metadata
- Social engineering language patterns
- Unauthorized external binary downloads

### 2. **Credential Leak Analysis**
Identifies potential credential exposure vectors:
- Hardcoded API keys, tokens, passwords in SKILL.md
- Suspicious environment variable exfiltration
- Unencrypted sensitive data transmission
- Overly bro...

# Skill Security Auditor 🛡️

**Protect your OpenClaw agent from malicious skills before installation**

## Overview

The Skill Security Auditor is a **command-line security analysis tool** that scans ClawHub skills for malicious patterns, credential leaks, and suspicious behaviors before you install them.

Born from the ClawHavoc campaign that distributed 341+ malicious skills stealing cryptocurrency credentials, this tool provides pattern-based threat detection using a curated threat intelligence database.

**Key Point**: This is a **manual CLI tool** you run before installing skills. It does not automatically scan or block installations - it provides security analysis to help you make informed decisions.

## Why You Need This

In February 2026, researchers discovered 341 malicious ClawHub skills that:
- 📦 Distributed Atomic Stealer (AMOS) malware
- 💰 Stole cryptocurrency exchange API keys
- 🔑 Harvested SSH credentials and browser passwords
- 🎭 Used sophisticated social engineering
- 🌐 Shared C2 infrastructure (91.92.242.30)

**This skill helps you avoid becoming a victim.**

## Features

✅ **Malicious Pattern Detection** - Identifies known attack patterns from ClawHavoc and other campaigns  
✅ **Credential Leak Analysis** - Finds hardcoded secrets and exfiltration vectors  
✅ **Dependency Validation** - Checks for suspicious binary requirements  
✅ **C2 Infrastructure Detection** - Flags known malicious IPs and domains  
✅ **Risk Scoring** - Quantitative 0-100 risk assessment  
✅ **VirusTotal Integration** - Links to OpenClaw's VirusTotal partnership  
✅ **Detailed Audit Reports** - Comprehensive security analysis with recommendations  

## Installation

### Via ClawHub CLI (Recommended)

```bash
# Install the skill
npx clawhub@latest install skill-security-auditor

# Make the analyzer script executable
chmod +x ~/.openclaw/skills/skill-security-auditor/analyze-skill.sh

# Test it works
~/.openclaw/skills/skill-security-auditor/analyze-skill.sh --help...