registry  /  clawvet  /  0.7.5

clawvet@0.7.5

Skill vetting & supply chain security for OpenClaw. Scans SKILL.md files for prompt injection, credential theft, RCE, typosquatting, and social engineering.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 60.8 KB of source, external domains: bazzzz--0ab7a9301f3911f1ab9942dde27851f2.web.val.run, clawhub.ai, github.com, img.shields.io, raw.githubusercontent.com, tally.so

Source & flagged code

1 flagged · loading source
dist/index.jsView file
5import { readFileSync as readFileSync6 } from "fs"; L6: import { execFile } from "child_process"; L7: import { fileURLToPath } from "url"; ... L50: codeOnly: true, L51: fix: "Replace dynamic evaluation with a safer alternative like JSON.parse() or a sandboxed environment." L52: }, ... L163: name: "SSH_KEY_ACCESS", L164: pattern: /~\/\.ssh\/id_|\.pem\b|BEGIN\s+(RSA\s+)?PRIVATE\s+KEY/gi, L165: severity: "high", ... L289: codeOnly: true, L290: fix: "Use standard HTTP libraries (fetch, axios) instead of raw sockets for network communication." L291: },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L5

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings