Security scanner for OpenClaw skill files — free CLI tool
ToolSkillScan is a Python CLI tool that scans OpenClaw skill files for security vulnerabilities. It was built because skill files are the primary attack surface for AI agent deployments — and there was no automated way to audit them.
The scanner covers 10 threat categories with 50+ detection patterns: prompt injection, credential theft, file system abuse, network exfiltration, unauthorized messaging, recursive loading, privilege escalation, obfuscation techniques, social engineering patterns, and configuration tampering. Each pattern is derived from real attack vectors documented in the OWASP Agentic Security Initiative.
Output formats: human-readable text with color-coded severity ratings and a JSON mode for CI/CD integration. Bulk scanning mode lets you run it against an entire skills directory in one command. Each skill gets an A-F security grade based on the findings.
SkillScan is free, open source, and MIT licensed. Use it in your CI pipeline, run it before deploying new skills, or use it as part of the Done-For-You Security Audit workflow.
Version 1 covers 10 threat categories with 50+ patterns. Available on GitHub. Pattern library updated as new attack vectors are documented.