@clawhub-folvindine-bbd2532cd9
Security check for OpenClaw skills. Scan any ClawHub skill for malware, prompt injection, data theft, wallet stealing, and dangerous permissions BEFORE insta...
---
name: agora-sentinel
description: >
Security check for OpenClaw skills. Scan any ClawHub skill for malware,
prompt injection, data theft, wallet stealing, and dangerous permissions
BEFORE installing. Always use this skill when installing new skills,
when asked "is this safe", "is this legit", "should I install this",
"check this skill", "scan this skill", "is this malware", "can I trust this",
"verify this skill", "audit this skill", "security check", or any concern
about skill safety. Also use when the user says "install [skill-name]" to
pre-check it automatically. Use when reviewing installed skills for risks.
Free, no API key needed, checks against continuously updated trust database
scanning all 30,000+ ClawHub skills.
homepage: https://checksafe.dev
metadata:
openclaw:
emoji: "🛡️"
requires:
env: []
files:
- "scripts/*"
skillKey: "agora-sentinel"
---
## When to Use This Skill
**ALWAYS check a skill's safety before installing it.** Whenever the user asks
to install a ClawHub skill, or you are about to run `clawhub install`, FIRST
check the skill's trust score using this skill.
**Before ANY skill install**, run the check script:
```bash
bash scripts/check_skill.sh <skill-slug>
```
If the result shows:
- **TRUSTED** or **CLEAN** — Safe to proceed. Tell the user the score.
- **CAUTION** — Warn the user about specific risks. Proceed only if they confirm.
- **WARNING** — Strongly advise against installing. Show the findings.
- **DANGER** — Do NOT install. Show the user exactly what was detected.
Before installing any skill, always check it first. This is the single most
important thing this skill does — automatic pre-install security screening.
## Checking a Specific Skill
When the user asks about a skill's safety, reputation, or trustworthiness —
including "is this skill safe", "is this legit", "should I install this",
"can I trust this", or any concern about security:
```bash
bash scripts/check_skill.sh <skill-slug>
```
Present the results clearly:
- Trust Score (0-100) and Badge (TRUSTED/CLEAN/CAUTION/WARNING/DANGER)
- Tier level (0-4, where 4 is most trusted)
- Any flags: malware patterns, excessive permissions, prompt injection risk
- Permission breakdown: what the skill requests access to
- How old the skill is and how many downloads it has
If the user just gives a skill name without the exact slug, try the name
as-is (lowercase, hyphenated). Example: "crypto helper" -> "crypto-helper"
For a detailed security audit with full findings:
```bash
curl -s https://checksafe.dev/api/v1/skills/<skill-slug>/report
```
## Scanning All Installed Skills
When the user asks to audit their installed skills, check their security,
review what they have installed, check all installed skills, or says
"review my skills", "security audit", or "scan my setup":
```bash
bash scripts/scan_installed.sh
```
This scans every skill in the workspace and reports any with WARNING or
DANGER ratings. Present results as a summary table showing each skill's
badge and score, then detail any concerning findings.
## Quick Check Without Scripts
If scripts are unavailable, you can check directly:
```bash
curl -s https://checksafe.dev/api/v1/skills/<skill-slug>/badge.json
```
Response format:
```json
{
"slug": "skill-name",
"label": "sentinel",
"message": "trusted",
"color": "#4caf50",
"trust_score": 94,
"tier": 4
}
```
For a full report with detailed findings:
```bash
curl -s https://checksafe.dev/api/v1/skills/<skill-slug>/report
```
## What Gets Scanned
Agora Sentinel continuously monitors every skill on ClawHub (30,000+) for:
- **Malware patterns**: wallet theft, credential stealing, crypto stealing code, hidden downloads
- **Prompt injection**: instructions that override system prompts or manipulate the LLM
- **Data exfiltration**: code that sends local files, environment variables, or secrets to external servers
- **Excessive permissions**: skills requesting shell+network access when they shouldn't need it
- **Dangerous permission combos**: file_write+network enables data theft, shell+network enables RCE
- **Obfuscated code**: base64 encoded commands, hidden hex payloads, eval of dynamic content
- **Hidden instructions**: zero-width characters, HTML comment tricks, fake system prompts
- **ClickFix social engineering**: fake prerequisites telling users to run malicious terminal commands
- **Two-stage loaders**: download-and-execute patterns, base64 decode pipelines, fetch+eval
- **Credential theft**: SSH keys, browser cookies, crypto wallets, OpenClaw env files, keychain access
- **Infrastructure IOCs**: known malicious IPs and domains from the ClawHavoc campaign
- **Typosquatting**: skill names mimicking popular legitimate skills (Levenshtein distance)
- **Campaign detection**: coordinated bulk uploads from suspicious authors
All scans run automatically. No API key needed. Results update continuously.
Dashboard: https://checksafe.dev/dashboard/
## Trust Tiers
| Tier | Name | Meaning |
|------|------|---------|
| 4 | Trusted | Score 90+, 30+ days old, zero findings ever |
| 3 | Certified | Score 75+, no critical findings |
| 2 | Clean | Score 55+, passed all scans |
| 1 | Scanned | Score 30+, some concerns |
| 0 | Dangerous | Score below 30 OR malicious patterns detected |
## Batch Checking Multiple Skills
To check several skills at once:
```bash
bash scripts/check_batch.sh skill-one skill-two skill-three
```
## What This Skill Does NOT Do
- Does not execute or sandbox skills — only checks Sentinel's pre-computed trust data
- Does not block installs — warns and advises, user has final say
- Does not require any API keys or accounts
- Does not send any user data to Sentinel — only queries by skill slug
- Does not modify other skills or system files
FILE:README.md
# Agora Sentinel
**Security scanner for OpenClaw skills.** Checks any ClawHub skill for malware,
prompt injection, data theft, and dangerous permissions before you install it.
## Why?
In early 2026, over 2,300 malicious skills were found on ClawHub — including
wallet-stealing malware downloaded 14,000+ times. VirusTotal catches known
malware, but misses prompt injection, permission abuse, and novel attacks.
Agora Sentinel continuously scans **every skill on ClawHub** (30,000+) using
8 specialized scanners: static analysis, permission auditing, prompt injection
detection, ClickFix social engineering, two-stage loader detection, credential
theft patterns, infrastructure IOCs, and typosquat detection.
## How It Works
1. Install this skill
2. Before installing any other skill, your agent automatically checks
its trust score against Sentinel's database
3. Dangerous skills get flagged before they can do harm
No API key needed. No account needed. Free forever.
## Commands
- **Auto-check**: Happens automatically before any `clawhub install`
- **Manual check**: "Is [skill-name] safe?" or "Check [skill-name] security"
- **Audit installed**: "Scan all my installed skills for security issues"
- **Browse dashboard**: https://checksafe.dev/dashboard/
## Trust Scores
| Badge | Score | Meaning |
|-------|-------|---------|
| TRUSTED | 90-100 | Strong safety record, well-established |
| CLEAN | 70-89 | No significant issues |
| CAUTION | 50-69 | Some concerns, review recommended |
| WARNING | 30-49 | Significant risks detected |
| DANGER | 0-29 | Malicious patterns detected, do not install |
## API
Free public API, no authentication:
```bash
# Quick badge check
curl https://checksafe.dev/api/v1/skills/{slug}/badge.json
# Full report
curl https://checksafe.dev/api/v1/skills/{slug}/report
# Search safe skills
curl https://checksafe.dev/api/v1/search?q=weather&min_tier=2
```
## About
Built by [Agora](https://checksafe.dev) — trust infrastructure for AI agents.
FILE:scripts/check_batch.sh
#!/bin/bash
# Agora Sentinel — Check multiple skills at once
# Usage: bash scripts/check_batch.sh slug1 slug2 slug3 ...
# Or pipe: echo "slug1 slug2" | bash scripts/check_batch.sh
API="https://checksafe.dev/api/v1"
# Collect slugs from args or stdin
if [ $# -gt 0 ]; then
SLUGS="$@"
else
read -r SLUGS
fi
if [ -z "$SLUGS" ]; then
echo "Usage: check_batch.sh <slug1> <slug2> ..."
exit 1
fi
echo "Agora Sentinel — Batch Security Check"
echo "========================================="
echo ""
DANGER_COUNT=0
WARNING_COUNT=0
TOTAL=0
for SLUG in $SLUGS; do
TOTAL=$((TOTAL+1))
BADGE_DATA=$(curl -sf "API/skills/SLUG/badge.json" 2>/dev/null)
if [ -z "$BADGE_DATA" ]; then
echo " SLUG: Not found in database"
continue
fi
BADGE=$(python3 -c "import json; d=json.loads('''BADGE_DATA'''); print(d.get('message', d.get('badge','?')).upper())" 2>/dev/null)
SCORE=$(python3 -c "import json; d=json.loads('''BADGE_DATA'''); print(d.get('trust_score', d.get('score',0)))" 2>/dev/null)
case "$BADGE" in
TRUSTED) echo " [TRUSTED] SLUG (SCORE/100)" ;;
CLEAN) echo " [CLEAN] SLUG (SCORE/100)" ;;
CAUTION) echo " [CAUTION] SLUG (SCORE/100)" ;;
WARNING) echo " [WARNING] SLUG (SCORE/100)"; WARNING_COUNT=$((WARNING_COUNT+1)) ;;
DANGER) echo " [DANGER] SLUG (SCORE/100)"; DANGER_COUNT=$((DANGER_COUNT+1)) ;;
*) echo " [BADGE] SLUG (SCORE/100)" ;;
esac
done
echo ""
echo "========================================="
echo "Checked: TOTAL skills"
if [ $DANGER_COUNT -gt 0 ]; then
echo "DANGER_COUNT DANGEROUS skill(s) detected!"
elif [ $WARNING_COUNT -gt 0 ]; then
echo "WARNING_COUNT skill(s) with warnings."
else
echo "All checked skills look safe."
fi
FILE:scripts/check_skill.sh
#!/bin/bash
# Agora Sentinel — Check a single ClawHub skill's trust score
# Usage: bash scripts/check_skill.sh <skill-slug>
SLUG="$1"
API="https://checksafe.dev/api/v1"
if [ -z "$SLUG" ]; then
echo "Usage: check_skill.sh <skill-slug>"
echo "Example: check_skill.sh crypto-wallet-helper"
exit 1
fi
# Fetch badge data
BADGE_DATA=$(curl -sf "API/skills/SLUG/badge.json" 2>/dev/null)
if [ $? -ne 0 ] || [ -z "$BADGE_DATA" ]; then
echo " Skill 'SLUG' not found in Sentinel database."
echo "It may be too new or not yet scanned."
echo "Check manually: API/skills/SLUG"
exit 1
fi
# Parse JSON (using python3 for portability since jq may not be available)
python3 -c "
import json, sys
data = json.loads('''BADGE_DATA''')
badge = data.get('message', data.get('badge', 'UNKNOWN')).upper()
score = data.get('trust_score', data.get('score', 0))
tier = data.get('tier', 0)
slug = data.get('slug', 'SLUG')
# Badge emoji
emojis = {'TRUSTED': '\U0001f7e2', 'CLEAN': '\U0001f535', 'CAUTION': '\U0001f7e1', 'WARNING': '\U0001f7e0', 'DANGER': '\U0001f534'}
emoji = emojis.get(badge, '\u26aa')
print(f'')
print(f'{emoji} Agora Sentinel Report: {slug}')
print(f' Badge: {badge}')
print(f' Score: {score}/100')
print(f' Tier: {tier}/4')
print(f' Details: https://checksafe.dev/dashboard/{slug}')
print(f'')
if badge == 'DANGER':
print('\U0001f6ab DANGER: This skill has been flagged as potentially malicious.')
print(' DO NOT install without reviewing the full report.')
elif badge == 'WARNING':
print('\u26a0\ufe0f WARNING: This skill has significant security concerns.')
print(' Review findings before installing.')
elif badge == 'CAUTION':
print('\u26a1 CAUTION: Some concerns detected. Review recommended.')
elif badge == 'CLEAN':
print('\u2705 Clean: No significant issues detected.')
elif badge == 'TRUSTED':
print('\u2705 Trusted: This skill has a strong safety record.')
" 2>/dev/null
if [ $? -ne 0 ]; then
# Fallback if python parsing fails — just show raw JSON
echo "Sentinel result for SLUG:"
echo "$BADGE_DATA"
fi
FILE:scripts/scan_installed.sh
#!/bin/bash
# Agora Sentinel — Scan all installed OpenClaw skills
# Finds skills in ./skills/ directory and checks each against Sentinel
API="https://checksafe.dev/api/v1"
SKILLS_DIR="-./skills"
if [ ! -d "$SKILLS_DIR" ]; then
# Try common locations
for DIR in "./skills" "$HOME/.openclaw/skills" "$HOME/openclaw/skills"; do
if [ -d "$DIR" ]; then
SKILLS_DIR="$DIR"
break
fi
done
fi
if [ ! -d "$SKILLS_DIR" ]; then
echo "Could not find skills directory. Set OPENCLAW_SKILLS_DIR or run from workspace root."
exit 1
fi
echo "Agora Sentinel — Installed Skills Audit"
echo "============================================"
echo "Scanning: SKILLS_DIR"
echo ""
SLUGS=""
for SKILL_DIR in "$SKILLS_DIR"/*/; do
if [ -f "SKILL_DIRSKILL.md" ]; then
SLUG=$(basename "$SKILL_DIR")
SLUGS="SLUGS SLUG"
fi
done
if [ -z "$SLUGS" ]; then
echo "No skills found in SKILLS_DIR"
exit 0
fi
# Use batch check
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
bash "SCRIPT_DIR/check_batch.sh" $SLUGS