SkillHub

clawlite-openclaw-security-guard

v0.2.1

This skill should be used when the user asks to harden agent workflows, audit prompts/commands/URLs/paths, scan a third-party skill before install or publish, review a skill folder for secrets or unsafe scripts, or add a lightweight local security guard before OpenClaw publishing and automation.

Sourced from ClawHub, Authored by X-RayLuan

Installation

Please help me install the skill `clawlite-openclaw-security-guard` from SkillHub official store. npx skills add X-RayLuan/clawlite-openclaw-security-guard

OpenClaw Security Guard

Use this skill to run fast local security checks before trusting or publishing automation.

What this skill is for

Run this skill when you need to: - scan suspicious text for prompt injection / secret leakage patterns - validate shell commands before automation or publishing - validate URLs for SSRF / localhost / metadata access risks - validate file paths for traversal / sensitive file access - audit a skill folder for dangerous scripts, hardcoded secrets, exfiltration patterns, or unsafe install/publish flows - add a lightweight self-defense layer before using external skills

Workflow

  1. Choose the narrowest check needed.
  2. Run one of the bundled scripts.
  3. Treat BLOCK as stop-work until reviewed.
  4. Treat WARN as requiring human review or a narrower sandbox.
  5. For skill audits, review the flagged file lines before install/publish.

Bundled scripts

1) Quick text / command / URL / path checks

node {baseDir}/scripts/security-check.mjs text "<content>"
node {baseDir}/scripts/security-check.mjs command "<shell command>"
node {baseDir}/scripts/security-check.mjs url "<url>"
node {baseDir}/scripts/security-check.mjs path "<path>"

2) Skill / folder audit

node {baseDir}/scripts/audit-skill-dir.mjs /absolute/or/relative/path/to/skill

3) Write audit into Obsidian vault

node {baseDir}/scripts/write-obsidian-audit.mjs /tmp/audit.json "Skill Audit - my-skill"

This writes a markdown audit note into the ClawLite Obsidian vault under Security Audits/.

4) Install lightweight local hook wrapper

bash {baseDir}/scripts/install-hooks.sh

This installs a reusable workspace script for prepublish checks.

This audits for: - hardcoded secrets / tokens - curl|bash / wget|sh installers - destructive shell patterns - risky exfiltration / webhook / netcat usage - suspicious file targets like ~/.ssh, /etc/passwd, .env, id_rsa

Verdicts

  • ALLOW — no high-risk pattern found in this lightweight pass
  • WARN — review manually before proceeding
  • BLOCK — do not trust / run / publish until reviewed

Important limits

  • This is a lightweight guard, not a full sandbox.
  • Regex-based detection catches common dangerous patterns, not all attacks.
  • A clean result does not prove safety.
  • For high-risk code, still prefer human review and runtime isolation.

Publishing / install guard

Before publishing or installing a skill from GitHub / ClawHub: 1. run audit-skill-dir.mjs 2. inspect every WARN / BLOCK 3. only proceed when the remaining risk is understood

References

If you need the audit categories / philosophy, read: - {baseDir}/references/checklist.md