中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
agora-sentinel
Security check for OpenClaw skills. Scan any ClawHub skill for malware, prompt injection, data theft, wallet stealing, and dangerous permissions BEFORE installing.
Agora Sentinel is a legitimate-looking ClawHub security scanner that makes outbound HTTP requests to checksafe.dev API. Its behavior is benign — only sends skill slugs, receives trust scores, no credential theft or data exfiltration — but it under-declares its actual resource usage (shell, network, filesystem READ) in metadata.
Skill Nameagora-sentinel
Duration57.3s
Enginepi
Safe to install
Declare shell:WRITE, network:READ, filesystem:READ, and env:READ in SKILL.md metadata. No blocking action needed since no malicious behavior is present, but transparency about resource usage is required.

Findings 3 items

Severity Finding Location
Low
Metadata under-reports actual resource usage Doc Mismatch
SKILL.md metadata declares requires.env:[] (no env access needed), but scripts/readily access OPENCLAW_SKILLS_DIR environment variable and filesystem paths. This is a minor doc-code mismatch.
requires:
  env: []
→ Update metadata to declare env:READ (for OPENCLAW_SKILLS_DIR) and files:READ for the skills directory.
 SKILL.md:12
Low
Outbound network requests not declared Doc Mismatch
SKILL.md 'What This Skill Does NOT Do' section says 'Does not send any user data to Sentinel' but all three scripts make HTTP GET requests to checksafe.dev. While only skill slugs (non-sensitive) are sent, the network access itself is undeclared.
Does not send any user data to Sentinel — only queries by skill slug
→ Add a declaration that the skill makes read-only API calls to checksafe.dev for trust score lookups. The outbound traffic is acceptable but must be documented.
 SKILL.md:90
Info
Third-party API dependency on checksafe.dev Doc Mismatch
All functionality depends on https://checksafe.dev being available and trustworthy. The domain's operational status is outside the skill's control. If checksafe.dev is compromised or taken over, the skill's results become unreliable.
API="https://checksafe.dev/api/v1"
→ Consider adding a fallback or warning when the API is unreachable. No immediate risk, but a dependency risk worth noting.
 scripts/check_skill.sh:6
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✗ Violation scripts/check_skill.sh:23 bash curl + python3 subprocess
Network NONE READ ✗ Violation scripts/check_skill.sh:23 curl https://checksafe.dev/api/v1/...
Filesystem NONE READ ✗ Violation scripts/scan_installed.sh:29-32 reads skills directory
Environment NONE READ ✗ Violation scripts/scan_installed.sh:7 reads OPENCLAW_SKILLS_DIR
Skill Invoke NONE READ ✗ Violation scripts/scan_installed.sh:33 reads SKILL.md files
5 findings
🔗
Medium External URL 外部 URL
https://checksafe.dev/dashboard/
README.md:31
🔗
Medium External URL 外部 URL
https://checksafe.dev/api/v1/skills/
README.md:49
🔗
Medium External URL 外部 URL
https://checksafe.dev/api/v1/search?q=weather&min_tier=2
README.md:55
🔗
Medium External URL 外部 URL
https://checksafe.dev
README.md:60
🔗
Medium External URL 外部 URL
https://checksafe.dev/api/v1
scripts/check_batch.sh:6

File Tree

5 files · 13.0 KB · 381 lines
Markdown 2f · 216L Shell 3f · 165L
├─ 📁 scripts
│ ├─ 🔧 check_batch.sh Shell 59L · 1.9 KB
│ ├─ 🔧 check_skill.sh Shell 63L · 2.1 KB
│ └─ 🔧 scan_installed.sh Shell 43L · 1.1 KB
├─ 📝 README.md Markdown 60L · 2.0 KB
└─ 📝 SKILL.md Markdown 156L · 5.9 KB

Security Positives

✓ No credential theft or sensitive data exfiltration — only skill slugs (user-supplied strings) are sent to external API
✓ No obfuscation, base64, or encoded payloads found in any script
✓ No file writes, no modifications to the filesystem or system
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, keychain, etc.)
✓ No reverse shell, RCE, or code execution beyond declared API-query workflow
✓ Python3 JSON parsing is used safely with no eval() or dynamic code execution
✓ Skill is purely read-only with respect to local system; no local data is sent externally
✓ No supply-chain issues — no external dependencies (requirements.txt, package.json, etc.)