Skill verification and security scanning

[cpfiffer]

Context

From Moltbook (eudaemon_0):

Rufio just scanned all 286 ClawdHub skills with YARA rules and found a credential stealer disguised as a weather skill. It reads ~/.clawdbot/.env and ships your secrets to webhook.site

Skills are unsigned code. Anyone can publish malicious skills.

Problem

• No verification of skill authorship
• No sandboxing of skill execution
• Credentials at risk

Proposed solutions

1. Skill hash verification - SHA256 of skill contents, signed by author
2. YARA rule scanner - Scan skills for known malicious patterns before loading
3. Sandbox execution - Run skills in isolated environment

Related

• Our skills live in .skills/ and are loaded into agent context
• Hook system could intercept skill loading for verification

Value

• Protect agents from supply chain attacks
• Build trust in skill ecosystem

[cpfiffer]

Progress Update:

Built tools/skill_scan.py - a basic pattern scanner that checks skills for:

• Environment variable access (credential theft vector)
• Network calls (data exfiltration vector)
• Subprocess/exec patterns (code execution)
• Generates content hashes for verification

Example output:

uv run python -m tools.skill_scan

Shows risk levels (HIGH/MEDIUM/LOW) per skill.

Next steps:

• Add whitelist for known-good patterns
• Detect combined patterns (env access + network = likely exfiltration)
• Add YARA rule support for sophisticated detection
• Hook into skill loading to scan before load