back
loading skill details...
Pre-install security audit and vulnerability scanner for ClawHub skills — scan by slug or local path, 9 threat intel sources, 7 checks including malware scan...
---
name: frisk
description: "Pre-install security audit and vulnerability scanner for ClawHub skills — scan by slug or local path, 9 threat intel sources, 7 checks including malware scanning, dependency vulnerabilities, and credential leak detection."
version: 3.0.3
metadata:
openclaw:
emoji: "⚡"
homepage: https://github.com/jchandler187/frisk
requires:
bins:
- python3
- clawhub
anyBins:
- gitleaks
- semgrep
- yara
install:
- kind: node
package: "@lowwattlabs/frisk"
bins:
- frisk
envVars:
- name: FRISK_HOME
required: false
description: "Base directory for intel cache and reports (default: ~/.frisk)"
- name: FRISK_INTEL_DIR
required: false
description: "Override intel cache directory (default: FRISK_HOME/intel)"
- name: FRISK_REPORTS_DIR
required: false
description: "Override reports output directory (default: FRISK_HOME/reports)"
---
# ⚡ Frisk
Frisk is a local-first security scanner for ClawHub skills. It runs 7 autonomous checks against 9 live threat intelligence feeds and returns a structured verdict — pass, warn, or fail — before you install.
Unlike instruction-card security skills that tell agents what to look for, Frisk actually runs the checks: dependency lookups against CISA KEV and OSV, credential scanning with Gitleaks, malware pattern matching with YARA, IOC matching against ThreatFox/URLhaus/MalwareBazaar/Feodo, behavioral analysis for eval and injection patterns, and prompt injection detection in SKILL.md files.
All scanning is offline. No telemetry. No phone-home. No data leaves your machine.
## When to use
- Before installing a skill from ClawHub — verify it is safe
- Before publishing your own skills — catch issues early
- When reviewing skills for your team or organization
- As part of CI/CD or pipeline validation
- When you want to verify a skill is safe before trusting it with your environment
- Any time an agent encounters an untrusted skill and needs a security check
## Quick start
```bash
frisk scan weather-forecast # Scan by ClawHub slug
frisk scan ./my-skill # Scan a local skill directory
frisk scan ./my-skill --checks dep-scan,secret-scan
frisk scan ./my-skill --json # JSON output for pipelines
```
First run sets up a Python venv and syncs threat intel automatically. After that, scanning works with zero configuration.
## How it works
Frisk downloads the skill to a sandboxed 0700 temp directory, strips execute bits from all files, suppresses npm install scripts, runs all enabled checks against the local intel cache, produces a structured JSON report with findings, and cleans up the downloaded skill.
Exit codes: 0 = pass, 1 = warn, 2 = fail
## Checks
| Check | What it does |
|-------|-------------|
| dep-scan | Cross-references dependencies against CISA KEV and OSV databases |
| static-analysis | Runs Semgrep rules for security anti-patterns (offline, no phone-home) |
| secret-scan | Scans for hardcoded API keys, tokens, and credentials using Gitleaks |
| yara-scan | Matches files against YARA rules for malware patterns |
| ioc-match | Matches IPs, domains, URLs, and file hashes against ThreatFox, URLhaus, MalwareBazaar, and Feodo Tracker |
| behavioral | Detects eval usage, shell injection, data exfiltration vectors, DNS tunneling |
| prompt-inject | Detects prompt injection and instruction-hiding patterns in SKILL.md |
## Threat intel sources (9)
CISA KEV, OSV (npm + PyPI), EPSS, MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker, YARA Rules, Semgrep Rules
Run `frisk sync` to refresh the intel cache. First scan auto-syncs if no cache exists.
## Parameters
When an agent invokes this skill through OpenClaw:
- **target** (required) — Local directory path or ClawHub skill slug. If a slug is given, the skill is downloaded to a sandboxed temp directory, scanned, and removed.
- **checks** (optional) — Comma-separated list: `dep-scan`, `static-analysis`, `secret-scan`, `yara-scan`, `ioc-match`, `behavioral`, `prompt-inject`. Default: all 7.
- **json** (optional) — Output results as JSON for programmatic use.
## Security and Privacy
- No telemetry, no phone-home, no analytics. All scanning is local.
- During scan, zero network requests. All intel is read from the local cache.
- During sync, only public threat intel feeds are contacted. No skill code or scan targets are ever transmitted externally.
- Slug scans are sandboxed: 0700 temp dir, execute bits stripped, npm scripts suppressed, cleaned up after scanning.
### Local files
- Read: `~/.frisk/intel/` (threat intel cache), skill directory passed as target
- Written: `~/.frisk/intel/`, `~/.frisk/reports/`, `~/.frisk/venv/`, `~/.frisk/frisk.log`
- First sync downloads approximately 50-100 MB of threat intel data
## Install
```bash
npm install -g @lowwattlabs/frisk
```
Or let OpenClaw install it via the skill install spec above.
## License
MIT-0don't have the plugin yet? install it then click "run inline in claude" again.