中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
skill-guard
Claude Code / OpenClaw Skill security auditing tool with always-active hook interception + static/LLM scanning + sandbox behavioral testing
Skill Guard is a legitimate security auditing tool with no malicious behavior - all capabilities match documentation, no external dependencies, and proper sandbox isolation.
Skill Nameskill-guard
Duration61.0s
Enginepi
Safe to install
This skill is safe to use. It provides valuable security auditing capabilities for Claude Code / OpenClaw skills.

Findings 4 items

Severity Finding Location
Info
Subprocess execution for sandbox RCE
sandbox_run.py uses subprocess.run() to execute target skill scripts with --help flag. This is the intended sandbox isolation mechanism.
subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, cwd=str(sandbox_dir), env=restricted_env)
→ This is legitimate security tool behavior - no action needed
 scripts/sandbox_run.py:195
Info
String segmentation for anti-AV detection Obfuscation
Threat keywords in regex patterns are constructed from string segments to prevent antivirus false positives. Explicitly documented as a defensive measure.
"crypt" + "onight"
→ This is a legitimate anti-AV technique used by security tools - no action needed
 scripts/quick_scan.py:80
Info
Sensitive path patterns are detection rules Sensitive Access
Patterns referencing ~/.ssh, ~/.aws, etc. are regex detection rules for identifying malicious patterns in TARGET skills being scanned - not access attempts by this skill itself.
_KW_SENS_PATHS = "|".join(["\\.s" + "sh", "\\.a" + "ws", ...])
→ This is legitimate scanning behavior - no action needed
 scripts/quick_scan.py:102
Info
Session state persistence Priv Escalation
danger_guard.py persists session state to /tmp/skill-guard-hook/ to avoid re-blocking confirmed operations. Uses temp directory with user permissions.
SESSION_STATE_DIR = os.path.join(tempfile.gettempdir(), "skill-guard-hook")
→ Appropriate use of temp directory for session state - no security concern
 hooks/danger_guard.py:21
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md states Read tool usage for target skill files
Shell WRITE WRITE ✓ Aligned subprocess.run() in sandbox_run.py lines 195-211, danger_guard.py runs as PreToo…
Network NONE NONE No network calls in code; sandbox explicitly denies network access
Environment NONE READ ✓ Aligned Reads USER, LANG from os.environ for sandbox env only
Skill Invoke WRITE WRITE ✓ Aligned SKILL.md declares skill_invoke capability for auditing other skills
Clipboard NONE NONE No clipboard access detected
Browser NONE NONE No browser access detected
Database NONE NONE No database access detected

File Tree

12 files · 109.6 KB · 2618 lines
Python 3f · 1617L Markdown 6f · 935L JSON 3f · 66L
├─ 📁 .claude
│ └─ 📋 settings.local.json JSON 20L · 1.2 KB
├─ 📁 hooks
│ ├─ 🐍 danger_guard.py Python 420L · 16.8 KB
│ └─ 📋 hooks.json JSON 27L · 610 B
├─ 📁 references
│ ├─ 📝 checklist.md Markdown 162L · 6.3 KB
│ ├─ 📝 dangerous_commands.md Markdown 133L · 5.5 KB
│ ├─ 📝 known_threats.md Markdown 156L · 10.0 KB
│ └─ 📝 openclaw_adapter.md Markdown 186L · 5.5 KB
├─ 📁 scripts
│ ├─ 🐍 quick_scan.py Python 719L · 31.2 KB
│ └─ 🐍 sandbox_run.py Python 478L · 19.8 KB
├─ 📋 _meta.json JSON 19L · 549 B
├─ 📝 README.md Markdown 104L · 4.7 KB
└─ 📝 SKILL.md Markdown 194L · 7.4 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
Python standard library only N/A stdlib No Uses json, os, re, sys, pathlib, subprocess, shutil, argparse, tempfile, uuid, math, base64 - no external packages

Security Positives

✓ No external dependencies - uses only Python standard library
✓ All capabilities declared in SKILL.md match actual implementation
✓ Proper sandbox isolation with macOS sandbox-exec or Linux restricted environment
✓ Network access explicitly denied in sandbox profile
✓ Session state stored in temp directory with user permissions
✓ Self-scan prevention with # noscan comments prevents false positives
✓ Comprehensive 8-dimension audit checklist for semantic analysis
✓ Known threat pattern database for detection
✓ No credential harvesting, no data exfiltration, no reverse shell patterns
✓ Code is well-documented and readable with clear intent
✓ Exit code 2 for blocking (standard hook convention) with user confirmation flow