Skill Scanner

Security audit tool for Clawdbot/MCP skills - scans for malware, spyware, crypto-mining, and malicious patterns.

Features

• Detects data exfiltration patterns (env scraping, credential access, HTTP POST to unknown domains)
• Identifies system modification attempts (dangerous rm, crontab changes, systemd persistence)
• Catches crypto-mining indicators (xmrig, mining pools, wallet addresses)
• Flags arbitrary code execution risks (eval, exec, download-and-execute)
• Detects backdoors (reverse shells, socket servers)
• Finds obfuscation techniques (base64 decode + exec)
• Outputs Markdown or JSON reports
• Returns exit codes for CI/CD integration

Installation

# Clone the repo
git clone https://github.com/bvinci1-design/skill-scanner.git
cd skill-scanner

# No dependencies required - uses Python standard library only
# Requires Python 3.7+

---

How to Run in Clawdbot

Clawdbot users can run this scanner directly as a skill to audit other downloaded skills.

Quick Start (Clawdbot)

1. Download the scanner from this repo to your Clawdbot skills folder:

   cd ~/.clawdbot/skills
   git clone https://github.com/bvinci1-design/skill-scanner.git
   

2. Scan any skill by telling Clawdbot:

   "Scan the [skill-name] skill for security issues using skill-scanner"
   

   Or run directly:

   python ~/.clawdbot/skills/skill-scanner/skill_scanner.py ~/.clawdbot/skills/[skill-name]
   

3. Review the output - Clawdbot will display:

   • Verdict: APPROVED, CAUTION, or REJECT
   • Any security findings with severity levels
   • Specific file and line numbers for concerns

Example Clawdbot Commands

"Use skill-scanner to check the youtube-watcher skill"
"Scan all my downloaded skills for malware"
"Run a security audit on the remotion skill"

Interpreting Results in Clawdbot

---

How to Run on Any Device

The scanner works on any system with Python 3.7+ installed.

Prerequisites

• Python 3.7 or higher
• Git (for cloning) or download ZIP from GitHub
• No additional packages required (uses Python standard library)

Installation Options

Option 1: Clone with Git

git clone https://github.com/bvinci1-design/skill-scanner.git
cd skill-scanner

Option 2: Download ZIP

1. Click "Code" button on GitHub
2. Select "Download ZIP"
3. Extract to desired location

Command Line Usage

Basic scan:

python skill_scanner.py /path/to/skill-folder

Output to file:

python skill_scanner.py /path/to/skill-folder --output report.md

JSON output:

python skill_scanner.py /path/to/skill-folder --json

Scan current directory:

python skill_scanner.py .

Web UI (Streamlit)

For a user-friendly graphical interface:

1. Install Streamlit:

   pip install streamlit
   

2. Run the UI:

   streamlit run streamlit_ui.py
   

3. Open in browser at http://localhost:8501

4. Features:

   • Drag-and-drop file upload
   • Support for ZIP archives
   • Paste code directly for scanning
   • Visual severity indicators
   • Export reports in Markdown or JSON

---

Exit Codes

Threat Patterns Detected

Critical (auto-reject)

• Credential path access (~/.ssh, ~/.aws, /etc/passwd)
• Dangerous recursive delete (rm -rf /)
• Systemd/launchd persistence
• Crypto miners (xmrig, ethminer, stratum+tcp)
• Download and execute (curl | sh)
• Reverse shells (/dev/tcp, nc -e)
• Base64 decode + exec obfuscation

High (caution)

• Bulk environment variable access
• Crontab modification
• eval/exec dynamic code execution
• Socket servers

Medium (informational)

• Environment variable reads
• HTTP POST to external endpoints

CI/CD Integration

# GitHub Actions example
- name: Scan skill for security issues
  run: |
    python skill_scanner.py ./my-skill --output scan-report.md
    if [ $? -eq 2 ]; then
      echo "CRITICAL issues found - blocking merge"
      exit 1
    fi

Contributing

Pull requests welcome! To add new threat patterns, edit the THREAT_PATTERNS list in skill_scanner.py.

License

MIT License - see LICENSE file for details.