SkillScan OpenClaw Skill
Security gate for skills. Every new skill MUST pass SkillScan before use. Activate on any install, load, add, evaluate, or safety question about a skill. On...
Installation
clawhub install skillscan
Requires npm i -g clawhub
128.6k
Downloads
11
Stars
1
current installs
1 all-time
2
Versions
EU-Hosted Inference API Power your OpenClaw skills with
the best open-source models.
Drop-in OpenAI-compatible API. No data leaves Europe.
Explore Inference APIGLM
GLM 5
$1.00 / $3.20
per M tokens
Kimi
Kimi K2.5
$0.60 / $2.80
per M tokens
MiniMax
MiniMax M2.5
$0.30 / $1.20
per M tokens
Qwen
Qwen3.5 122B
$0.40 / $3.00
per M tokens
SkillScan v1.1.6
Security check for skill packages. Every new skill must pass this scan before use.
Implemented in scripts/scanner.py. Supports Windows / macOS / Linux.
Do NOT generate report files inside the skill directory.
When to Activate
Run SkillScan whenever a skill is installed, loaded, added, evaluated, or questioned for safety — regardless of method or phrasing.
Trigger examples: install, load, add, use, set up, "is this safe", upload .zip/.skill, paste SKILL.md, mention unknown skill name, install from hub/store.
First Load
Check scripts/.first_run_done:
Not found → Tell user SkillScan is installed, ask to scan all existing skills:
python <skill_scanner_dir>/scripts/scanner.py first-run.first_run_doneis created automatically after completion.Found → Skip, operate normally.
Commands
| Command | Usage |
|---|---|
scanner.py scan <path> |
Scan a single skill (.zip or directory) |
scanner.py scan-all |
Scan all installed skills |
scanner.py first-run |
First-time full scan |
scanner.py upgrade |
Manual upgrade |
Scan Rules
- .zip files → Scan BEFORE installation. Block if fails.
- Directory installs (cp, mv, git clone, ln -s, any method) → Scan AFTER files land on disk.
- Remote installs (clawhub, skillhub, npx skills add, etc.) → Scan immediately after install.
- Unknown skills → If user mentions a skill you haven't seen, scan it.
Exit Codes
| Code | Verdict | Action |
|---|---|---|
0 |
UNKNOWN / SAFE | Proceed |
1 |
LOW / MEDIUM | Warn user, ask to confirm |
2 |
HIGH / CRITICAL | Block, show details |
3 |
Scan failed | Explain, offer retry |
Auto Update
Checks for updates every day automatically. Silent, no user action needed. Manual: scanner.py upgrade.
Environment Variables
| Variable | Description |
|---|---|
SKILL_SCANNER_UPDATE_URL |
Custom update source (optional) |
API
Base URL: https://skillscan.tokauth.com
| Step | Method | Path |
|---|---|---|
| ① Cache lookup | GET | /oapi/v1/skill-scan/search?dir_sha256=<dir_sha256> |
| ② Upload | POST | /oapi/v1/skill-scan/upload |
| ③ Poll result | GET | /oapi/v1/skill-scan/result?task_no=<task_no> (poll every 20s, max 180s) |
Statistics
Author
tokauthai
@tokauthai
Latest Changes
v1.1.6 · Apr 20, 2026
- Major cleanup: The readme documentation was removed. - Simplified "First Load" process in SKILL.md by removing the requirement to write Skill Security rules to SOUL.md. - Uninstall instructions regarding SOUL.md cleanup were dropped from the SKILL.md. - Updated metadata version to 1.1.6.
Quick Install
clawhub install skillscan Related Skills
Other popular skills you might find useful.
Made in Europe Chat with 100+ AI Models in one App.
Use Claude, ChatGPT, Gemini alongside with EU-Hosted Models like Deepseek, GLM-5, Kimi K2.5 and many more.
