ClawAudit verdict
safehub
A security scanner for OpenClaw skills that uses Semgrep static analysis and optional Docker sandboxing to produce trust scores; all operations are local analysis with no credential access, and the skill explicitly warns about the SAFEHUB_RULES_REPO trust boundary.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
package_install
Findings (11)
Uses eval() — can execute arbitrary code
CONTRIBUTING.md · code · eval(
Accesses sensitive system files
README.md · code · /etc/passwd
Dynamic Function constructor — equivalent to eval()
rules/execution.yml · prose · downgraded · new Function(
References child_process — can spawn system processes
lib/resolve.js · prose · downgraded · child_process
Uses exec() — may execute shell commands
rules/execution.yml · prose · downgraded · exec(
Uses spawn() — can execute external programs
rules/execution.yml · prose · downgraded · spawn(
Base64 decode (atob) — may hide malicious payloads
rules/obfuscation.yml · prose · downgraded · atob(
Node http/https module — low-level network access
commands/update.js · prose · downgraded · require('https')
Popular HTTP library — network access
rules/network.yml · prose · downgraded · axios
Base64 encoding/decoding
rules/obfuscation.yml · prose · downgraded · base64-decode
Accesses sensitive environment variables
test-fixtures/risky-skill/index.js · prose · downgraded · process.env.SECRET_KEY
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
Requires 3 system binaries. (1 elevated: git).
package_install Is this flag fair?
Thanks — recorded.