Security Audit Skill

Automated security checks for external resources before execution.

When to Use

✅ ALWAYS use this skill when:

Cloning any GitHub repository
Downloading skills or code from the web
Running external scripts or code
Installing new tools from untrusted sources

Security Checks

File Type Detection

File Type	Risk Level	Action
`.py`, `.js`, `.ts`, `.go`, `.rs`	✅ Low	Safe to review
`.md`, `.txt`, `.json`, `.yaml`	✅ Low	Safe to read
`.exe`, `.bat`, `.sh`, `.app`, `.msi`	🔴 High	Block without review
Unknown binary files	🔴 High	Block without review

Content Analysis

Source Code Present: ✅ Pass
README Matches Content: ✅ Pass
Suspicious Patterns: Detects:
- Base64 encoded payloads
- Shellcode signatures
- Obfuscated code
- Network connections in scripts

Red Flags

🚨 Immediately alert user if:

Executable files without source code
README claims functionality not present in code
Extremely long text files (> 50KB with single line)
Encrypted/obfuscated content
Direct download links in README (not GitHub releases)

Usage

# Audit a directory
cd /path/to/repo
python3 audit.py

# Audit with verbose output
python3 audit.py --verbose

# Export report to file
python3 audit.py --output report.txt

Check Results

✅ Safe

🛡️ Security Audit: PASSED

All checks passed. This resource appears safe to use.
- Source code: Found
- File types: Normal
- Content: Matches description
- No suspicious patterns detected

⚠️ Warning

⚠️ Security Audit: WARNING

Found minor issues that need review:
- Long line in file.txt (65000+ chars)
- Some files lack comments

Recommended: Review before execution.

🚨 Critical

🚨 Security Audit: BLOCKED

Critical security issues detected:
- Executable file: resolver.exe (NO source code)
- Suspicious payload: icon16.txt (289KB single-line text)
- README mismatch: Claims "memory system" but contains malware

🛑 DO NOT EXECUTE. Delete immediately.

Integration with OpenClaw

This skill can be invoked automatically by OpenClaw when:

Cloning Repos: Runs after git clone
Downloading Skills: Runs after clawhub install
Running External Scripts: Runs before execution

To enable automatic auditing, add to your workflow:

# After git clone
git clone <repo-url> && cd <repo> && python3 audit.py

# After clawhub install
clawhub install <skill> && python3 ~/.clawhub/skills/<skill>/audit.py

Security Best Practices

For Users

Never run unverified executables
Always review code before execution
Check file types in downloaded archives
Verify repository activity and contributors
Use virtual environments for testing

For Skill Authors

Provide source code in clear text
Include README that matches functionality
Avoid obfuscation or encryption
Document dependencies clearly
Use standard formats (no custom binaries)

False Positives

Some safe projects may trigger warnings:

Large data files: Legitimate models, datasets
Minified code: Production JavaScript/CSS
Compiled modules: Native Python extensions

Review manually before deciding to block.

Reference Cases

ClawIntelligentMemory (2026-03-03)

🚨 BLOCKED: Malware disguised as OpenClaw memory system

Evidence:
- resolver.exe (Windows PE executable, no source)
- icon16.txt (289KB single-line,疑似 shellcode)
- App.bat (launches resolver.exe with payload)
- README claims "memory system", actual content is malware

Action: Deleted immediately

Notes

This is a basic heuristic check, not a full antivirus
Always use human judgment for final decisions
Report false positives to improve detection
Keep this skill updated with new threat patterns

Security Audit Skill

Automated security checks for external resources before execution.

When to Use

✅ ALWAYS use this skill when:

Cloning any GitHub repository
Downloading skills or code from the web
Running external scripts or code
Installing new tools from untrusted sources

Security Checks

File Type Detection

File Type	Risk Level	Action
`.py`, `.js`, `.ts`, `.go`, `.rs`	✅ Low	Safe to review
`.md`, `.txt`, `.json`, `.yaml`	✅ Low	Safe to read
`.exe`, `.bat`, `.sh`, `.app`, `.msi`	🔴 High	Block without review
Unknown binary files	🔴 High	Block without review

Content Analysis

Source Code Present: ✅ Pass
README Matches Content: ✅ Pass
Suspicious Patterns: Detects:
- Base64 encoded payloads
- Shellcode signatures
- Obfuscated code
- Network connections in scripts

Red Flags

🚨 Immediately alert user if:

Executable files without source code
README claims functionality not present in code
Extremely long text files (> 50KB with single line)
Encrypted/obfuscated content
Direct download links in README (not GitHub releases)

Usage

# Audit a directory
cd /path/to/repo
python3 audit.py

# Audit with verbose output
python3 audit.py --verbose

# Export report to file
python3 audit.py --output report.txt

Check Results

✅ Safe

🛡️ Security Audit: PASSED

All checks passed. This resource appears safe to use.
- Source code: Found
- File types: Normal
- Content: Matches description
- No suspicious patterns detected

⚠️ Warning

⚠️ Security Audit: WARNING

Found minor issues that need review:
- Long line in file.txt (65000+ chars)
- Some files lack comments

Recommended: Review before execution.

🚨 Critical

🚨 Security Audit: BLOCKED

Critical security issues detected:
- Executable file: resolver.exe (NO source code)
- Suspicious payload: icon16.txt (289KB single-line text)
- README mismatch: Claims "memory system" but contains malware

🛑 DO NOT EXECUTE. Delete immediately.

Integration with OpenClaw

This skill can be invoked automatically by OpenClaw when:

Cloning Repos: Runs after git clone
Downloading Skills: Runs after clawhub install
Running External Scripts: Runs before execution

To enable automatic auditing, add to your workflow:

# After git clone
git clone <repo-url> && cd <repo> && python3 audit.py

# After clawhub install
clawhub install <skill> && python3 ~/.clawhub/skills/<skill>/audit.py

Security Best Practices

For Users

Never run unverified executables
Always review code before execution
Check file types in downloaded archives
Verify repository activity and contributors
Use virtual environments for testing

For Skill Authors

Provide source code in clear text
Include README that matches functionality
Avoid obfuscation or encryption
Document dependencies clearly
Use standard formats (no custom binaries)

False Positives

Some safe projects may trigger warnings:

Large data files: Legitimate models, datasets
Minified code: Production JavaScript/CSS
Compiled modules: Native Python extensions

Review manually before deciding to block.

Reference Cases

ClawIntelligentMemory (2026-03-03)

🚨 BLOCKED: Malware disguised as OpenClaw memory system

Evidence:
- resolver.exe (Windows PE executable, no source)
- icon16.txt (289KB single-line,疑似 shellcode)
- App.bat (launches resolver.exe with payload)
- README claims "memory system", actual content is malware

Action: Deleted immediately

Notes

This is a basic heuristic check, not a full antivirus
Always use human judgment for final decisions
Report false positives to improve detection
Keep this skill updated with new threat patterns

Security Audit by Jason

Security Audit Skill

When to Use

Security Checks

File Type Detection

Content Analysis

Red Flags

Usage

Check Results

✅ Safe

⚠️ Warning

🚨 Critical

Integration with OpenClaw

Security Best Practices

For Users

For Skill Authors

False Positives

Reference Cases

ClawIntelligentMemory (2026-03-03)

Notes

Download

Skill Info

Security Audit by Jason

Security Audit Skill

When to Use

Security Checks

File Type Detection

Content Analysis

Red Flags

Usage

Check Results

✅ Safe

⚠️ Warning

🚨 Critical

Integration with OpenClaw

Security Best Practices

For Users

For Skill Authors

False Positives

Reference Cases

ClawIntelligentMemory (2026-03-03)

Notes

Download

Skill Info