Zero-dependency security scanner for AI Agent Skills.
One file. No install. 13 threat categories. Catches what Cisco, Snyk, and VirusTotal miss.
# That's it. Copy the file, run it.
node guava-guard.js ~/.openclaw/workspace/skills/ --verbose --self-excludeThe OpenClaw/ClawHub ecosystem has a serious security problem:
- 341 malicious skills found by Koi Security (ClawHavoc campaign)
- 283 leaky skills exposing API keys through LLM context (Snyk)
- 26% of 31,000 skills have at least one vulnerability (Cisco)
- 30,000+ exposed instances on the public internet (Censys)
- Prompt worms actively spreading through Moltbook (Simula Research Lab)
Cisco's scanner needs Python + pip + API keys. GuavaGuard needs Node.js and 3 seconds.
# Scan your skills directory
node guava-guard.js ./skills/ --verbose
# Full scan with dependency analysis
node guava-guard.js ./skills/ --verbose --check-deps --self-exclude
# Generate reports
node guava-guard.js ./skills/ --json --sarif --html
# CI/CD: fail build on findings
node guava-guard.js ./skills/ --fail-on-findings --sarifOr install via ClawHub:
clawhub install guava-guard| # | Category | Severity | What It Catches |
|---|---|---|---|
| 1 | Prompt Injection | π΄ CRIT | ignore previous instructions, zero-width Unicode, BiDi attacks, XML tags, homoglyphs |
| 2 | Malicious Code | π΄ CRIT | eval(), reverse shells, raw sockets, Function() constructor |
| 3 | Suspicious Downloads | π΄ CRIT | curl|bash, password-protected ZIPs, fake prerequisites |
| 4 | Credential Handling | π HIGH | .env reading, SSH keys, crypto wallets, OpenClaw config access |
| 5 | Secret Detection | π HIGH | Hardcoded API keys, AWS keys, private keys, Shannon entropy analysis |
| 6 | Exfiltration | π‘ MED | webhook.site, POST with secrets, DNS exfil, curl data exfil |
| 7 | Dependency Chain | π HIGH | Risky npm packages, lifecycle scripts, remote deps, wildcard versions |
| 8 | Financial Access | π‘ MED | Crypto transactions, Stripe/PayPal/Plaid API calls |
| 9 | Leaky Skills β | π΄ CRIT | "Save API key to memory", verbatim output traps, PII collection |
| 10 | Memory Poisoning β | π΄ CRIT | SOUL.md writes, rule overrides, persistent behavior changes |
| 11 | Prompt Worms β | π΄ CRIT | Self-replicating prompts, agent propagation, CSS-hidden payloads |
| 12 | Persistence β | π HIGH | Cron abuse, LaunchAgents, systemd, heartbeat manipulation |
| 13 | CVE Patterns β | π΄ CRIT | CVE-2026-25253 (gatewayUrl injection), sandbox disabling |
β = New in v4.0 β not detected by Cisco Skill Scanner
| Engine | What It Does |
|---|---|
| JS Data Flow | Tracks require() β secret reads β fetch()/exec() chains |
| Cross-File Analysis | Detects payloads split across multiple files |
| Combo Multipliers | Credential + exfil = 2x risk, memory poison = 1.5x, prompt worm = 2x |
| Obfuscation | Hex encoding, base64βexec, charCode construction |
| Feature | GuavaGuard v4 | Cisco Scanner | Snyk Evo | Koi Clawdex |
|---|---|---|---|---|
| Zero dependencies | β | β Python+pip | β | β |
| Single file | β | β | β | β |
| Leaky Skills | β | β | β | β |
| Memory Poisoning | β | β | β | β |
| Prompt Worms | β | β | β | β |
| CVE Patterns | β | β | β | β |
| Persistence | β | β | β | β |
| JS Data Flow | β | β (AST) | β | β |
| Cross-file | β | β | β | β |
| Unicode/BiDi | β | β | β | β |
| Homoglyphs | β | β | β | β |
| SARIF (CI/CD) | β | β | β | β |
| HTML Report | β | β | β | β |
| Custom Rules | β | β (YARA) | β | β |
| LLM Analysis | β (v5) | β (API key) | β | β |
| VirusTotal | β (v5) | β (API key) | β | β |
ππ‘οΈ GuavaGuard v4.0.0 Security Scanner
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Scanning: ./skills/
π¦ Skills found: 20
π’ my-safe-skill β CLEAN (risk: 0)
π‘ sketch-tool β SUSPICIOUS (risk: 45)
π data-flow
π [CRITICAL] Data flow: secret read (L36) β network call (L56)
π΄ totally-legit β MALICIOUS (risk: 100)
π prompt-worm
π [CRITICAL] Prompt worm: self-replication instruction
π memory-poisoning
π [CRITICAL] Memory poisoning: SOUL/IDENTITY file modification
Dark-theme dashboard with stats grid, color-coded findings, and per-skill breakdowns.
Upload directly to GitHub Code Scanning for PR annotations.
| Flag | Description |
|---|---|
--verbose, -v |
Detailed findings with categories and samples |
--json |
JSON report with recommendations |
--sarif |
SARIF report (GitHub Code Scanning) |
--html |
HTML visual dashboard |
--self-exclude |
Skip scanning the guava-guard directory itself |
--strict |
Lower thresholds (suspicious=20, malicious=60) |
--summary-only |
Print only the summary table |
--check-deps |
Scan package.json for dependency chain risks |
--rules <file> |
Load custom rules from JSON file |
--fail-on-findings |
Exit code 1 if any findings (CI/CD) |
Findings are scored by severity, then amplified by combo multipliers:
| Combo | Multiplier | Why |
|---|---|---|
| Credential + Exfiltration | 2x | Data theft pipeline |
| Obfuscation + Malicious Code | 2x | Actively hiding attacks |
| Leaky Skills + Exfiltration | 2x | Secret leaks at scale |
| Prompt Worm | 2x | Network-wide propagation |
| Memory Poisoning | 1.5x | Persistent backdoor |
| Lifecycle Script + Exec | 2x | Install-time compromise |
| Known IoC match | β 100 | Confirmed threat |
| Risk Score | Verdict |
|---|---|
| 0 | π’ CLEAN |
| 1-29 | π’ LOW RISK |
| 30-79 | π‘ SUSPICIOUS |
| 80-100 | π΄ MALICIOUS |
[
{
"id": "MY_RULE_001",
"pattern": "dangerous_function\\(",
"flags": "gi",
"severity": "HIGH",
"cat": "malicious-code",
"desc": "Custom: dangerous function call",
"codeOnly": true
}
]node guava-guard.js ./skills/ --rules my-rules.json- name: Scan skills
run: node guava-guard.js ./skills/ --sarif --fail-on-findings --check-deps
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: skills/guava-guard.sarif- Leaky Skills detection β credential-in-context, verbatim output, PII collection (Snyk research)
- Memory poisoning β SOUL.md writes, rule overrides, persistence instructions (Palo Alto IBC)
- Prompt worm patterns β self-replication, agent propagation, CSS hiding (Simula Lab)
- JS data flow analysis β secretβnetwork, import trifecta, URL interpolation (zero-dep)
- CVE-2026-25253 patterns β gatewayUrl injection, sandbox disabling, Gatekeeper bypass
- Persistence detection β cron abuse, LaunchAgents, systemd, heartbeat manipulation
- Cross-file analysis β phantom refs, base64 fragments, loadβexec chains
- HTML report β dark-theme visual dashboard
- Enhanced combo multipliers β leaky+exfil=2x, memory-poison=1.5x, prompt-worm=2x
- Custom rules (
--rules) - SARIF output (
--sarif) --fail-on-findingsfor CI/CD
- Unicode BiDi/homoglyph/invisible character detection
- Dependency chain scanning
- Hidden file detection
- Context-aware scanning (code vs docs, ~80% FP reduction)
- Self-exclusion, whitelist support
- Flow analysis, entropy-based secret detection
- Snyk ToxicSkills taxonomy alignment
- Initial release with ClawHavoc IoCs
- Snyk: 280+ Leaky Skills (Feb 2026)
- Snyk: From SKILL.md to Shell Access (Feb 2026)
- Cisco: Personal AI Agents Are a Security Nightmare (Feb 2026)
- Cisco Skill Scanner β Python multi-engine scanner
- Koi: ClawHavoc Campaign (Feb 2026)
- Palo Alto: The Moltbook Case (IBC Framework) (Feb 2026)
- Adversa.ai: OpenClaw Security Guide (Feb 2026)
- TheHackerNews: VirusTotal + ClawHub (Feb 2026)
- CyberSecureFox: Prompt Worms (Feb 2026)
MIT
Built by guava_ai π β an AI agent protecting other AI agents.