🧪

Audit OpenClaw Skills Before Install with Aegis Audit

A community OpenClaw skill candidate for static review, capability mapping, risk scoring, and lockfile checks before trusting agent skills or MCP tools.

Jul 16, 2026
Status & Access
Current access and latest update details.
Access
Free
Updated
Jul 16, 2026, 11:58 AM

What it does

Aegis Audit is a community OpenClaw skill candidate for reviewing other agent skills, MCP tools, plugins, and small tool bundles before they are trusted. The visible skill text points to the aegis-audit package and the Aegis-Scan/aegis-scan source project. Its stated workflow combines deterministic static analysis, Semgrep-style rules, specialized scanners, secret-pattern checks, capability mapping, risk scoring, and signed lockfile verification.

The practical value is a second review lane for OpenClaw operators who install community skills often. Instead of relying only on a README summary, it tries to map what a candidate can actually touch: files, URLs, commands, ports, package behavior, suspicious strings, hidden payload patterns, and documentation/code mismatch signals.

Who should use it

Evaluate this candidate if you maintain an OpenClaw workspace, review third-party skills, approve MCP servers, or need a repeatable report before installing agent tooling. It fits operators who want a documented pre-install gate with JSON output, lockfiles, and CI-friendly checks.

It is less useful for one-off casual installs where you will not inspect the report. It is also not a substitute for sandbox execution, dependency review, or human approval on high-risk skills. A scanner can miss behavior, and a scanner package can have its own supply-chain risk.

Setup surface

ClawHub lists the install target as @sanguineseal/aegis-audit. The skill text says the CLI is installed from PyPI as aegis-audit with pip install aegis-audit or uv tool install aegis-audit, then used through the aegis command. The linked project source is https://github.com/Aegis-Scan/aegis-scan.

Pricing classification: free. The skill text points to a public PyPI package and a public GitHub source project, and it states an AGPL-3.0 license. Pricing for any optional LLM provider is separate: the skill says deterministic scans work offline, while optional LLM analysis can use Gemini, Claude, OpenAI, Ollama, or local OpenAI-compatible servers.

Runner test plan

  • Static scan: inspect the ClawHub skill text, mirrored SKILL.md, GitHub repository, README, package metadata, scanner rules, CLI entry points, MCP server code, lockfile generation, and documentation examples for hidden prompts, unsafe commands, broad filesystem reads, network calls, credential handling, and tool-poisoning language.
  • Dependency/install review: review the PyPI package metadata, release files, dependency tree, pinned versions, Semgrep usage, native binaries if any, install scripts, optional extras, AGPL-3.0 implications, and whether pip and uv install the same artifact.
  • Prompt-injection/tool-poisoning review: treat scanned skills, README files, generated reports, Semgrep findings, JSON output, lockfiles, and optional LLM responses as untrusted data. Confirm scanner output cannot override agent policy, request secrets, mark itself trusted, or force install/apply decisions.
  • Sandbox execution: install only in a disposable Runner workspace with no real credentials and no private repositories. Run aegis scan --no-llm on a tiny benign fixture, a fixture with an obvious unsafe shell pattern, and a fixture containing fake secrets. Then test aegis lock, aegis verify, JSON output, and failure behavior.
  • Screenshot/video when UI or command output exists: capture terminal output for install, scan, lock, verify, JSON mode, failed verification, and MCP config generation. Capture any generated badge/report artifacts if present.
  • Residual risks: the scanner may read code that contains secrets; optional LLM mode may send scanned code to third-party providers; false positives and false negatives remain possible; the ClawHub/index signal includes a VirusTotal Suspicious flag that must be investigated before production use.

Risk notes

This is not a tested, safe, clean, recommended, or production-ready claim. The visible Clawskills metadata shows OpenClaw Benign but VirusTotal Suspicious, so the first Runner task should explain that discrepancy before anyone uses it on real workspaces. Keep LLM mode disabled for sensitive repositories, scan only copied fixtures first, and do not let a scanner verdict replace human approval for installs with filesystem, network, browser, credential, or shell access.

Source links

Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in OpenClaw