npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

openclaw-security-scanner

v1.0.0

Published

Security auditing and static analysis tool for OpenClaw skills

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

alex-vbcodingalex-vbcoding

Keywords

openclawsecurityscanningstatic-analysisvulnerability

Readme

🔒 OpenClaw Security Scanner

Automated security auditing for OpenClaw skills - Detect vulnerabilities, dangerous patterns, and supply chain risks before deployment.

License Node Security

🎯 What It Does

Scans OpenClaw skills for security issues:

  • 🔍 Static Code Analysis - Detect dangerous patterns (eval, exec, unsafe deserialization)
  • 📦 Dependency Scanning - Check for known vulnerabilities in npm packages
  • 🔐 Permission Auditing - Flag excessive tool access
  • 🚫 Pattern Detection - Identify common security anti-patterns
  • 📊 Risk Scoring - Quantify security posture
  • 🔄 CI/CD Integration - Block unsafe deployments

🚀 Quick Start

Install

npm install -g openclaw-security-scanner

Scan a Skill

openclaw-security scan

Example Output

🔒 OpenClaw Security Scanner v1.0.0

📂 Scanning: ./my-skill/

🔍 Static Analysis...
  ❌ CRITICAL: eval() usage detected in index.ts:42
  ⚠️  WARNING: exec() without input validation in utils.ts:15
  ✅ PASS: No unsafe deserialization

📦 Dependency Scan...
  ❌ CRITICAL: [email protected] (CVE-2021-23337)
  ⚠️  WARNING: [email protected] (CVE-2021-3749)

🔐 Permission Audit...
  ⚠️  WARNING: Broad file system access (Read/Write)
  ℹ️  INFO: Network access detected

📊 Security Score: 45/100 (HIGH RISK)

Issues Found: 4 critical, 3 warnings, 1 info
Recommendation: DO NOT DEPLOY

📖 Commands

openclaw-security scan [path]

Scan a skill directory:

openclaw-security scan ./my-skill

# Options:
#  --output <file>       Write report to file
#  --format <json|html>  Report format
#  --fail-on <level>     Exit code 1 if issues >= level (critical|high|medium)
#  --fix                 Auto-fix safe issues

openclaw-security check-deps

Audit dependencies only:

openclaw-security check-deps

# Checks:
# - Known vulnerabilities (CVE database)
# - Malicious packages
# - License compliance
# - Outdated packages

openclaw-security patterns

Check for dangerous code patterns:

openclaw-security patterns --strict

# Detects:
# - eval(), Function(), new Function()
# - exec(), spawn(), child_process
# - Unsafe JSON.parse, YAML.load
# - SQL injection risks
# - XSS vectors

openclaw-security permissions

Audit tool permissions:

openclaw-security permissions

# Flags:
# - Excessive file system access
# - Network requests to suspicious domains
# - Shell command execution
# - Sensitive data handling

openclaw-security report

Generate detailed security report:

openclaw-security report --format html --output report.html

🔍 Detection Rules

Critical Severity

  • eval() or new Function() usage
  • Arbitrary command execution without validation
  • Hardcoded credentials or API keys
  • Known CVEs in dependencies (CVSS >= 9.0)

High Severity

  • child_process.exec() with user input
  • Unsafe deserialization (YAML.load, pickle)
  • SQL queries with string concatenation
  • File operations with unsanitized paths
  • Known CVEs (CVSS 7.0-8.9)

Medium Severity

  • Missing input validation
  • Overly permissive file access
  • HTTP requests without TLS
  • Deprecated APIs
  • Known CVEs (CVSS 4.0-6.9)

Low Severity / Info

  • Code complexity warnings
  • Missing error handling
  • Performance anti-patterns
  • Style violations

🛠️ Configuration

.openclaw-security.yml

version: 1

# Severity threshold (fail CI if exceeded)
failOn: high

# Rules to enable/disable
rules:
  eval-usage: error
  exec-usage: warn
  hardcoded-secrets: error
  unsafe-yaml: error
  missing-validation: warn

# Allowlist for specific patterns
allow:
  - pattern: 'Math.eval'
    reason: 'Safe math expression evaluation'
  
  - file: 'test/**/*.ts'
    rule: '*'
    reason: 'Tests can use unsafe patterns'

# Dependency scan config
dependencies:
  allowVulnerabilities:
    - CVE-2021-12345  # Acknowledged, will fix in next release
  
  blockedPackages:
    - dangerous-package
    - known-malware

# Custom patterns (regex)
customPatterns:
  - pattern: 'password\s*=\s*["\']'
    severity: critical
    message: 'Hardcoded password detected'

🔌 CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install Scanner
        run: npm install -g openclaw-security-scanner
      
      - name: Run Security Scan
        run: openclaw-security scan --fail-on high --format json --output security-report.json
      
      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: security-report
          path: security-report.json

GitLab CI

security-scan:
  stage: test
  script:
    - npm install -g openclaw-security-scanner
    - openclaw-security scan --fail-on high
  artifacts:
    reports:
      sast: security-report.json

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

openclaw-security scan --fail-on critical

if [ $? -ne 0 ]; then
  echo "❌ Security scan failed. Fix issues before committing."
  exit 1
fi

📊 Security Score Calculation

Score = 100 - (weighted penalty sum)

| Severity | Penalty per Issue | |-----------|-------------------| | Critical | 30 points | | High | 15 points | | Medium | 5 points | | Low | 1 point |

Grades:

  • 90-100: Excellent ✅
  • 70-89: Good ⚠️
  • 50-69: Fair ⚠️
  • 0-49: Poor ❌ (DO NOT DEPLOY)

🎓 Examples

Example 1: Safe Skill

// ✅ Good: Input validation + safe APIs
import { validate } from './validator';

export async function handler(input, tools) {
  const query = validate(input.query, { maxLength: 100 });
  const results = await tools.web_search({ query });
  return { results };
}

Example 2: Unsafe Skill (BLOCKED)

// ❌ Bad: Multiple critical issues
export async function handler(input, tools) {
  // CRITICAL: eval() usage
  const result = eval(input.code);
  
  // CRITICAL: Arbitrary command execution
  await tools.exec({ command: input.userCommand });
  
  // HIGH: Hardcoded credential
  const apiKey = 'sk-1234567890abcdef';
  
  return result;
}

// Security Score: 10/100 ❌ BLOCKED

Example 3: Fixed Skill

// ✅ Fixed version
import { VM } from 'vm2';  // Sandboxed eval alternative

export async function handler(input, tools) {
  // Safe: Sandboxed execution
  const vm = new VM({ timeout: 1000, sandbox: {} });
  const result = vm.run(input.code);
  
  // Safe: Validated command
  const allowedCommands = ['ls', 'pwd', 'echo'];
  if (!allowedCommands.includes(input.command)) {
    throw new Error('Invalid command');
  }
  await tools.exec({ command: input.command });
  
  // Safe: Environment variable
  const apiKey = process.env.API_KEY;
  
  return result;
}

// Security Score: 95/100 ✅

🤝 Contributing

Contributions welcome! We need:

  • [ ] More detection patterns
  • [ ] CVE database integration
  • [ ] Secret detection algorithms
  • [ ] SARIF format support
  • [ ] IDE extensions (VSCode, IntelliJ)

📄 License

MIT © Alex - Built for secure OpenClaw ecosystems

🔗 Links

Security first. Deploy with confidence. 🔒