Open source security scanner for OpenClaw AI skills.

This is the core scanning engine that powers ClawDefend — the security analysis platform for the OpenClaw ecosystem.

Scans OpenClaw AI skills (from ClawHub or GitHub) for security vulnerabilities:

• Static analysis — 15+ rules across SSRF, command injection, credential exposure, path traversal, eval/exec abuse, suspicious URLs, and more
• LLM analysis — GPT-4o intent analysis to catch obfuscated or context-dependent risks
• Scoring — Letter-grade scoring (A–F) with severity levels (Clean / Low / Medium / High / Critical)
• Binary detection — Flags compiled binaries, caps score at C (70) when present
• ClawHub integration — Fetches and scans skills directly from clawhub.ai
• GitHub integration — Scans skills from any public GitHub repo

This is a TypeScript library. The full ClawDefend platform (web dashboard, API, auth, billing) is at clawdefend.com.

import { fetchClawHubFiles, runStaticAnalysis, runLLMAnalysis, calculateScore } from "./src";

// Scan a ClawHub skill
const { files, binaryFiles } = await fetchClawHubFiles("https://clawhub.ai/author/skill-name");

// Run static rules
const staticFindings = runStaticAnalysis(files);

// Run LLM analysis (requires OPENAI_API_KEY)
const llmResult = await runLLMAnalysis(files);

// Merge and score
const allFindings = [...staticFindings, ...llmResult.findings];
const { overallScore, severity } = calculateScore(allFindings, {
  binaryFiles: binaryFiles.map(b => b.path)
});

console.log(`Score: ${overallScore}/100 (${severity})`);

• Node.js 18+
• OPENAI_API_KEY env var (for LLM analysis)
• Optional: GITHUB_TOKEN for higher GitHub API rate limits

• fflate — ZIP extraction
• openai — LLM analysis

Built from scanning 851+ OpenClaw skills. Found vulnerabilities in 70%+ of scanned skills.

MIT — use it, fork it, improve it.

• ClawDefend — Full platform with dashboard, monitoring, and alerts
• ClawHub — The OpenClaw skill marketplace