{"id":51177623,"url":"https://github.com/openclaw/clawscan","last_synced_at":"2026-06-27T05:00:53.408Z","repository":{"id":367655334,"uuid":"1277510760","full_name":"openclaw/clawscan","owner":"openclaw","description":"Composable security scanning harness for agent skills","archived":false,"fork":false,"pushed_at":"2026-06-27T00:54:22.000Z","size":2231,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-27T01:13:07.935Z","etag":null,"topics":["agent-security","ai-security","llm-security","prompt-injection","security-scanner","skill-scanner","skills-security"],"latest_commit_sha":null,"homepage":"https://musical-adventure-ww87k3k.pages.github.io/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openclaw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["moltbot"]}},"created_at":"2026-06-23T00:49:57.000Z","updated_at":"2026-06-27T00:54:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/openclaw/clawscan","commit_stats":null,"previous_names":["openclaw/clawscan"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/openclaw/clawscan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fclawscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fclawscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fclawscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fclawscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openclaw","download_url":"https://codeload.github.com/openclaw/clawscan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fclawscan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34841990,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-27T02:00:06.362Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-security","ai-security","llm-security","prompt-injection","security-scanner","skill-scanner","skills-security"],"created_at":"2026-06-27T05:00:30.532Z","updated_at":"2026-06-27T05:00:53.387Z","avatar_url":"https://github.com/openclaw.png","language":"Go","funding_links":["https://github.com/sponsors/moltbot"],"categories":[],"sub_categories":[],"readme":"# ClawScan 📡\n\nClawScan is a composable security scanning harness for agent skills.\n\nRun a suite of skill security scanners, pass the results to a judge harness, and compare against multiple skill security benchmarks.\n\n[![CI](https://img.shields.io/badge/CI-passing-brightgreen)](https://github.com/openclaw/clawscan/actions/workflows/ci.yml?query=branch%3Amain)\n[![Release](https://img.shields.io/badge/Release-passing-brightgreen)](https://github.com/openclaw/clawscan/actions/workflows/release.yml)\n[![Latest release](https://img.shields.io/badge/latest%20release-unreleased-lightgrey)](https://github.com/openclaw/clawscan/releases)\n\n\n## Quick Start\n\nInstall ClawScan:\n\n```bash\nnpm install -g @openclaw/clawscan\n```\n\nCommand-backed scanners and judges run in ClawScan's Docker runtime by default,\nso keep Docker running for local scans.\n\nRun NVIDIA SkillSpector and Cisco Skill Scanner against a local `skills/` folder:\n\n```bash\nclawscan --scanner skillspector --scanner cisco\n```\n\n## Scan a known malicious skill\n\nThis example scans Trail of Bits' [`csv-summarizer`](https://github.com/trailofbits/overtly-malicious-skills/tree/4ffbf9461ef0505f9ce76a0d3694a18ec33ea531/skills/csv-summarizer) skill, which claims to summarize a CSV file but also prints every environment variable when run.\n\n```bash\ngit clone https://github.com/trailofbits/overtly-malicious-skills.git /tmp/overtly-malicious-skills\ncd /tmp/overtly-malicious-skills\ngit checkout 4ffbf9461ef0505f9ce76a0d3694a18ec33ea531\nclawscan skills/csv-summarizer \\\n  --scanner skillspector \\\n  --scanner cisco \\\n  --output /tmp/clawscan-csv-summarizer.json\n```\n\nSample findings:\n\n```txt\ntargets: 1\nscanner_completed: 2\nscanner_failed: 0\nscanner_skipped: 0\nissues_found: 2\nerrors: 0\nfull_results: /tmp/clawscan-csv-summarizer.json\n```\n\nThe results bundle keeps the top-level artifact plus per-scanner JSON reports.\n\n\u003cdetails\u003e\n\u003csummary\u003eArtifact excerpt\u003c/summary\u003e\n\n```json\n{\n  \"schemaVersion\": \"clawscan-run-v1\",\n  \"target\": \"skills/csv-summarizer\",\n  \"scanners\": {\n    \"cisco\": {\n      \"status\": \"completed\",\n      \"durationMs\": 42,\n      \"outputPath\": \"clawscan-csv-summarizer/skills/csv-summarizer/cisco.json\",\n      \"isSafe\": true,\n      \"maxSeverity\": \"SAFE\",\n      \"findingsCount\": 0\n    },\n    \"skillspector\": {\n      \"status\": \"completed\",\n      \"durationMs\": 42,\n      \"outputPath\": \"clawscan-csv-summarizer/skills/csv-summarizer/skillspector.json\",\n      \"severity\": \"MEDIUM\",\n      \"score\": 31,\n      \"recommendation\": \"CAUTION\",\n      \"issues\": [\n        {\n          \"id\": \"LP3\",\n          \"severity\": \"MEDIUM\",\n          \"file\": \"SKILL.md\"\n        },\n        {\n          \"id\": \"E2\",\n          \"severity\": \"HIGH\",\n          \"file\": \"scripts/summarize.py\"\n        }\n      ]\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\n\n## Motivation\n\nAgent-skill security is new and fast-moving, with researchers and companies\nexploring many promising scanners, datasets, and judge harnesses. In our\n[ClawHub Security Signals paper](https://arxiv.org/html/2606.01494v1), we found\nthat combining multiple scanners with a configurable judge works better than\nrelying on any single scanner.\n\nClawScan turns that approach into a repeatable CLI. It includes a built-in `clawhub` profile, a saved scanner-and-judge configuration that matches what ClawHub runs in production, so researchers can reproduce results, test improvements, and help improve detection against the weekly refreshed ClawHub security-signals dataset.\n\n## Commands\n\n| Command family | Use |\n| --- | --- |\n| `clawscan \u003ctarget\u003e --scanner \u003cid\u003e` | Run one or more scanners against an explicit target. Omit `\u003ctarget\u003e` to scan child skill directories under `./skills`. |\n| `clawscan scanners [list\\|\u003cscanner-id\u003e]` | Discover supported scanner IDs, required env vars, upstream links, descriptions, and install guidance. |\n| `clawscan profiles [-v]` | Inspect built-in plus nearest project-local profiles; `-v` prints the resolved profile catalog as YAML. |\n| `clawscan benchmark [list\\|\u003cbenchmark-id\u003e]` | Discover or run supported benchmarks through a selected scanner/profile/judge setup. |\n| `clawscan install \u003cscanner-id\u003e [...]` | Install or verify local scanner dependencies where ClawScan has registry-backed install plans. |\n\n## Scanners\n\n`--scanner` selects a scanner adapter to run, writes its raw JSON evidence into\nthe results artifact, and can be repeated to compare multiple scanners in one\nrun:\n\n```bash\nclawscan ./my-skill \\\n  --scanner skillspector \\\n  --scanner cisco\n```\n\nDiscover the scanner catalog from the CLI:\n\n```bash\nclawscan scanners\nclawscan scanners skillspector\n```\n\n### Available scanners\n\n\u003e **Want to add your scanner to the list?** Follow the guide in [docs/scanners.md](docs/scanners.md#adding-a-built-in-scanner-adapter)\n\n| ID | Name | Repo | Description | Required env vars | Local dependency setup |\n| --- | --- | --- | --- | --- | --- |\n| `agentverus` | AgentVerus | [repo](https://github.com/agentverus/agentverus-scanner) | Local file or directory scanner invoked through agentverus-scanner. | none | `npm install --save-dev agentverus-scanner` |\n| `aig` | Tencent AI-Infra-Guard | [repo](https://github.com/Tencent/AI-Infra-Guard) | API-backed MCP Server \u0026 Agent Skills scan through a running local or private A.I.G service. Upstream defaults to `http://localhost:8088` and currently lacks built-in authentication, so do not expose it on public networks. | none\u003cbr\u003e\u003cdetails\u003e\u003csummary\u003eOptional config\u003c/summary\u003e\u003ccode\u003eAIG_BASE_URL\u003c/code\u003e, \u003ccode\u003eAIG_API_KEY\u003c/code\u003e, \u003ccode\u003eAIG_MODEL\u003c/code\u003e, \u003ccode\u003eAIG_MODEL_API_KEY\u003c/code\u003e, \u003ccode\u003eAIG_MODEL_BASE_URL\u003c/code\u003e, \u003ccode\u003eAIG_USERNAME\u003c/code\u003e, \u003ccode\u003eAIG_SCAN_LANGUAGE\u003c/code\u003e, \u003ccode\u003eAIG_SCAN_PROMPT\u003c/code\u003e, \u003ccode\u003eAIG_SCAN_THREAD_COUNT\u003c/code\u003e, \u003ccode\u003eAIG_POLL_INTERVAL_MS\u003c/code\u003e, \u003ccode\u003eAIG_POLL_MAX_ATTEMPTS\u003c/code\u003e.\u003cbr\u003e\u003cbr\u003e\u003ccode\u003eAIG_BASE_URL\u003c/code\u003e defaults to \u003ccode\u003ehttp://localhost:8088\u003c/code\u003e; upstream model config is optional and can fall back to the A.I.G service defaults.\u003c/details\u003e | run the A.I.G Docker/API service separately |\n| `cisco` | Cisco AI Defense skill-scanner | [repo](https://github.com/cisco-ai-defense/skill-scanner) | Local file or directory scanner invoked through `skill-scanner` with JSON report output. Optional upstream env vars enable LLM, VirusTotal, and Cisco AI Defense analyzers. | none\u003cbr\u003e\u003cdetails\u003e\u003csummary\u003eOptional config\u003c/summary\u003e\u003ccode\u003eSKILL_SCANNER_LLM_API_KEY\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_LLM_PROVIDER\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_LLM_MODEL\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_LLM_BASE_URL\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_LLM_USER\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_LLM_API_VERSION\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_LLM_FORCE_JSON_OBJECT\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_META_LLM_API_KEY\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_META_LLM_MODEL\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_META_LLM_BASE_URL\u003c/code\u003e, \u003ccode\u003eSKILL_SCANNER_META_LLM_API_VERSION\u003c/code\u003e, \u003ccode\u003eAWS_PROFILE\u003c/code\u003e, \u003ccode\u003eAWS_REGION\u003c/code\u003e, \u003ccode\u003eGOOGLE_APPLICATION_CREDENTIALS\u003c/code\u003e, \u003ccode\u003eVIRUSTOTAL_API_KEY\u003c/code\u003e, \u003ccode\u003eAI_DEFENSE_API_KEY\u003c/code\u003e, \u003ccode\u003eAI_DEFENSE_API_URL\u003c/code\u003e.\u003c/details\u003e | `uv pip install cisco-ai-skill-scanner` |\n| `clawscan-static` | ClawScan Static | [repo](https://github.com/openclaw/clawscan) | Built-in deterministic text scanner for high-signal risky skill patterns. | none | skipped; built in |\n| `skillspector` | NVIDIA SkillSpector | [repo](https://github.com/NVIDIA/skillspector) | Local file or directory scanner. Uses LLM mode when provider env vars are set; otherwise runs with `--no-llm`. | none\u003cbr\u003e\u003cdetails\u003e\u003csummary\u003eOptional config\u003c/summary\u003e\u003ccode\u003eSKILLSPECTOR_PROVIDER\u003c/code\u003e, \u003ccode\u003eSKILLSPECTOR_MODEL\u003c/code\u003e, \u003ccode\u003eSKILLSPECTOR_MODEL_REGISTRY\u003c/code\u003e, \u003ccode\u003eSKILLSPECTOR_LOG_LEVEL\u003c/code\u003e, \u003ccode\u003eSKILLSPECTOR_SSL_VERIFY\u003c/code\u003e, \u003ccode\u003eNVIDIA_INFERENCE_KEY\u003c/code\u003e, \u003ccode\u003eOPENAI_API_KEY\u003c/code\u003e, \u003ccode\u003eOPENAI_BASE_URL\u003c/code\u003e, \u003ccode\u003eANTHROPIC_API_KEY\u003c/code\u003e, \u003ccode\u003eANTHROPIC_PROXY_ENDPOINT_URL\u003c/code\u003e, \u003ccode\u003eANTHROPIC_PROXY_API_KEY\u003c/code\u003e, \u003ccode\u003eANTHROPIC_PROXY_API_VERSION\u003c/code\u003e.\u003c/details\u003e | `uv tool install git+https://github.com/NVIDIA/skillspector.git` |\n| `snyk` | Snyk Agent Scan | [repo](https://github.com/snyk/agent-scan) | Local skill scanner invoked through `uvx snyk-agent-scan`. | `SNYK_TOKEN` | verifies `uvx` launcher |\n| `socket` | Socket CLI | [repo](https://github.com/SocketDev/socket-cli) | Local file or directory scanner using Socket's public CLI full-scan path. | `SOCKET_CLI_API_TOKEN` | `npm install -g socket` |\n| `virustotal` | VirusTotal API | [docs](https://docs.virustotal.com/reference/file) | API-backed single local file hash lookup. Directories return a skipped result. | `VIRUSTOTAL_API_KEY` | skipped; API-backed |\n\n## Sandbox\n\nClawScan runs command-backed scanners and judges in\n`ghcr.io/openclaw/clawscan-runtime:latest` by default:\n\n```bash\nclawscan ./my-skill --scanner skillspector\n```\n\nUse `--sandbox off` only in an already-isolated environment, or when you have\ninstalled scanner dependencies on the host with `clawscan install`. Use\n`--sandbox-env \u003cNAME\u003e` or a profile `sandbox.env` list to pass judge-specific\nenvironment variables into the container.\n\n## Judge Harness\n\n`--judge` hands scanner evidence to an external agent command so it can inspect\nthe skill, do its own research in the scan workspace, and write a final JSON\nverdict:\n\n```bash\nclawscan ./my-skill \\\n  --scanner skillspector \\\n  --judge 'codex exec --cd {{ workspace }} --output-last-message {{ output }} - \u003c {{ prompt:./prompt.md }}'\n```\n\nSupported `--judge` placeholders:\n\n| Placeholder | Meaning |\n| --- | --- |\n| `{{ workspace }}` | Temporary directory containing the copied skill, scanner JSON, and metadata. |\n| `{{ prompt }}` | Render `./prompt.md` and pass the rendered prompt file path. |\n| `{{ prompt:\u003cpath\u003e }}` | Render a specific prompt template and pass that file path. |\n| `{{ output_schema }}` | Copy `./schema.json` into the workspace and pass that file path. |\n| `{{ output_schema:\u003cpath\u003e }}` | Copy a specific schema file and pass that file path. |\n| `{{ output }}` | File path where the judge should write its final JSON object. |\n\n## Profiles\n\n`--profile` runs a saved scanner and judge configuration, such as the built-in\n`clawhub` profile that matches ClawHub's production scanner suite and Codex\njudge harness:\n\n```bash\nclawscan ./my-skill --profile clawhub\n```\n\nInspect the resolved profile catalog, including the nearest project\n`.clawscan.yml` / `.clawscan.yaml` when present:\n\n```bash\nclawscan profiles\nclawscan profiles -v\n```\n\n### Available profiles\n\n| Profile | Scanners | Judge |\n| --- | --- | --- |\n| `clawhub` | `skillspector`, `clawscan-static` | Codex `gpt-5.5`, high reasoning, bundled ClawHub prompt/schema |\n| `skills-sh` | `socket`, `snyk` (Gen Agent Trust Hub also runs on skills.sh but does not offer a CLI) | none |\n\n\n\n\n### Build a custom profile with `.clawscan.yml`\n\nCustom profiles can be created in `.clawscan.yml`.\n\nThis is useful for version controlling iterations on your profile, creating multiple profiles to run over the same skills, etc\n\n```yaml\nversion: 1\nprofiles:\n  review:\n    scanners:\n      - skillspector\n      - snyk\n    sandbox:\n      env:\n        - OPENAI_API_KEY\n        - CODEX_API_KEY\n    judge:\n      command: \u003e\n        codex exec --cd {{ workspace }}\n        --model gpt-5.5\n        --output-last-message {{ output }}\n        - \u003c {{ prompt:./prompt.md }}\n```\n\n## Benchmarks\n\n`clawscan benchmark \u003cbenchmark-id\u003e` runs a supported benchmark through the\nselected scanners and optional judge harness:\n\n```bash\nclawscan benchmark list\n\nclawscan benchmark SkillTrustBench \\\n  --profile clawhub \\\n  --output ./artifacts/skilltrustbench-clawhub.json\n```\n\n### Available benchmarks\n\n| Benchmark | ID | Source |\n| --- | --- | --- |\n| ClawHub Security Signals | `clawhub-security-signals` | [Hugging Face](https://huggingface.co/datasets/OpenClaw/clawhub-security-signals) |\n| SkillTrustBench | `SkillTrustBench` | [Hugging Face](https://huggingface.co/datasets/cuhk-zhuque/SkillTrustBench) |\n\n### Submitting a patch to the `clawhub` profile\n\nIf you are a security researcher who found malicious skills live on ClawHub and\nwant to improve the production scanner so it catches them, use GitHub private\nvulnerability reporting for the sensitive details and open a PR containing only\na candidate `proposals/\u003cGHSA-ID\u003e/clawscan.yml` config. For a guided walkthrough,\nask Codex:\n\n```text\nUse $report-clawhub-malicious-skill to walk me through reporting a malicious ClawHub skill.\n```\n\n### ClawHub Profile Benchmark\n\n\u003c!-- clawscan-benchmark:clawhub:start --\u003e\nProfile: `clawhub`\nBenchmark: pending maintainer `SkillTrustBench Profile Gate` run.\nArtifact: uploaded by the workflow as `skilltrustbench-candidate`.\n\u003c!-- clawscan-benchmark:clawhub:end --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenclaw%2Fclawscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenclaw%2Fclawscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenclaw%2Fclawscan/lists"}