Skill Analyzer Now Available on ClawHub with One-Command Install

The OpenClaw Skill Analyzer, a security scanner for AI skills, is now available on ClawHub with a simplified installation process. Previously only on GitHub, users can now install it with a single command.
Installation and Features
To install the Skill Analyzer from ClawHub, run:
npx clawhub@latest install openclaw-skill-analyzerThe tool scans any skill folder for potentially malicious patterns including prompt injection, credential theft, data exfiltration, backdoors, and obfuscation. It provides a risk rating before installation and includes over 40 detection rules across 12 categories.
Security Features
A key security feature is Docker sandbox support. Scans can be run inside a Docker container with:
- No network access
- Read-only filesystem
- 256MB memory cap
- Container destroyed after each scan
This isolates potentially malicious skills from your system. The README includes a one-liner Docker command for this sandboxed execution.
Development Status
The tool is actively maintained with updates when new malicious patterns are discovered in the wild. The developer welcomes reports of patterns the tool doesn't yet catch.
Note: ClawHub may show a warning when installing the Skill Analyzer because the scanner flags its own detection patterns.
📖 Read the full source: r/openclaw
👀 See Also

AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT
Reverse-engineering revealed that AppLovin's custom cipher uses a constant salt + SDK key, a SplitMix64 PRNG, and no authentication. Decrypted requests carry ~50 device fields (hardware model, screen size, locale, boot time, etc.) even when ATT is denied, enabling deterministic re-identification across apps.

Malicious PyTorch Lightning Package Steals Credentials and Worms npm Packages
PyPI package 'lightning' versions 2.6.2 and 2.6.3 contain Shai-Hulud themed malware that steals credentials, tokens, and cloud secrets, and spreads to npm packages via injected JavaScript payloads.

Introducing SkillFence: The New Runtime Monitor That Watches What Skills Actually Do
SkillFence offers a breakthrough in monitoring AI agent actions, addressing the need for transparency and security in AI-driven environments. Discover how this innovative tool can enhance control over autonomous processes.

Coldkey: Post-Quantum Age Key Generation and Paper Backup Tool
Coldkey generates post-quantum age keys (ML-KEM-768 + X25519) and produces single-page printable HTML backups with QR codes for offline storage.