[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-2230":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":14,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":28,"readmeContent":29,"aiSummary":30,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":31,"discoverSource":32},2230,"SkillWard","Fangcun-AI\u002FSkillWard","Fangcun-AI","Security scanner for Agent Skills — uncover hidden threats before deployment.","https:\u002F\u002Fskillward.fangcunleap.com\u002F",null,"Python",127,4,2,0,1,11,3,46.2,"Other",false,"main",[24,25,26,27],"ai-security-tool","llm","sandbox","skills","2026-06-12 04:00:13","·\u003Cp align=\"center\">\n \u003Cimg src=\".\u002Fresources\u002Fbanner.png\" alt=\"SkillWard Banner\" width=\"100%\" \u002F>\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">SkillWard\u003C\u002Fh1>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FFangcun-AI\">\u003Cimg src=\".\u002Fresources\u002Fskillward-badge.svg\" alt=\"SkillWard\" height=\"20\" \u002F>\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fopensource.org\u002Flicenses\u002FApache-2.0\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache%202.0-4B8BBE?style=flat-square&logo=apache&logoColor=white\" alt=\"License\" \u002F>\u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fwww.python.org\u002Fdownloads\u002F\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.10+-3776AB?style=flat-square&logo=python&logoColor=white\" alt=\"Python\" \u002F>\u003C\u002Fa>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FDocker-Ready-2496ED?style=flat-square&logo=docker&logoColor=white\" alt=\"Docker\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FVersion-1.0.0-32CD32?style=flat-square\" alt=\"Version\" \u002F>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\u003Ci>SkillWard is a security scanner for AI Agent Skills that combines static analysis, LLM evaluation, and sandbox verification to comprehensively identify potential risks in Agent Skills.\u003C\u002Fi>\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"#highlights\">Highlights\u003C\u002Fa> ·\n \u003Ca href=\"#architecture\">Architecture\u003C\u002Fa> ·\n \u003Ca href=\"#skillward-ui\">UI\u003C\u002Fa> ·\n \u003Ca href=\"#benchmark\">Benchmark\u003C\u002Fa> ·\n \u003Ca href=\"#quick-start\">Quick Start\u003C\u002Fa> ·\n \u003Ca href=\"#repository-structure\">Structure\u003C\u002Fa> ·\n English | \u003Ca href=\".\u002FREADME_CN.md\">中文\u003C\u002Fa>\n\u003C\u002Fp>\n\n> **\"Five scanners on 238,180 Skills showed highly inconsistent results, only 0.12% were flagged by all five, with individual flag rates ranging from 3.79% to 41.93%.\"**\n> — Holzbauer et al., [*Malicious Or Not: Adding Repository Context to Agent Skill Classification*](https:\u002F\u002Farxiv.org\u002Fabs\u002F2603.16572), 2026\n\n**SkillWard** enables security review of AI Agent Skills before they are published or deployed, reducing the potential risks of Agent usage. Beyond static analysis and LLM evaluation, it executes suspicious Skills in **isolated Docker sandboxes**, replacing uncertain warnings with runtime evidence. Across 5,000 real-world Skills, ~**25%** were flagged as unsafe; among the ~**38%** suspicious samples that entered the sandbox, ~**one-third** revealed runtime threats that review-only pipelines could not catch.\n\n### How does SkillWard address this challenge?\n\nWe ran two existing open-source scanning tools on the same dataset as reference baselines (see [Comparison](docs\u002Fcomparison.md) for details). Here are three real-world cases:\n\n- **Unique Detection:** Threats missed by other tools, precisely caught by SkillWard — see [ai-skill-scanner](docs\u002Fcases\u002Fai-skill-scanner.md)\n- **Low False Positives:** Compliant content wrongly blocked by other tools, correctly cleared by SkillWard — see [roku](docs\u002Fcases\u002Froku.md)\n- **Deeper Analysis:** For threats all tools detect, SkillWard provides more complete risk tracing and evidence — see [amber-hunter](docs\u002Fcases\u002Famber-hunter.md)\n\n---\n\n## Highlights\n\n- **Three-Stage Security Coverage** - Static analysis, LLM evaluation, and sandbox execution turn obvious threats and ambiguous warnings into high-confidence decisions\n- **Autonomous Sandbox Execution** - An in-container Agent provisions environments, installs dependencies, repairs common failures, and drives Skills end-to-end with up to **99% deployment success**\n- **Runtime Security Guard** - A purpose-built Guard monitors Agent runtime behavior, capturing clear evidence for exfiltration, suspicious network access, sensitive writes, and hidden credential risks\n- **Ready Out of the Box, Extensible on Demand** - Single-skill or batch scans, Quick Scan \u002F Sandbox Scan \u002F Deep Trace modes, tunable via environment variables, LLM provider configuration, and Docker settings\n- **Evidence-Rich Results** - Every scan returns real-time logs, three-stage findings, threat evidence, and remediation guidance that security and platform teams can act on immediately\n\n---\n\n## Architecture\n\n\u003Cimg src=\".\u002Fresources\u002Farchitecture.png\" width=\"100%\" alt=\"System Architecture\" \u002F>\n\nSkillWard uses a static + dynamic three-stage analysis approach:\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Stage A · Static Analysis\u003C\u002Fb>: Runs in seconds, catches known malicious patterns and suspicious signals\u003C\u002Fsummary>\n\nScans Skill code and configuration using YARA rules and regex to identify known malicious patterns (credential theft, code injection, etc.), validates that a Skill's declared permissions and capabilities match its actual code behavior, and detects hidden files, encoding obfuscation, prompt poisoning, and other suspicious characteristics.\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Stage B · LLM Evaluation\u003C\u002Fb>: Semantic reasoning to judge intent and assign safety confidence\u003C\u002Fsummary>\n\nAdds semantic reasoning on top of static signals. Skills that can be confidently classified are resolved here; Skills that remain uncertain advance to Stage C for sandbox verification.\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Stage C · Sandbox Verification\u003C\u002Fb>: Actually runs suspicious Skills, leaving hidden risks nowhere to hide\u003C\u002Fsummary>\n\nAn in-container Agent executes the Skill end-to-end, with a custom Guard monitoring throughout. Pre-planted honeypot decoys lure malicious Skills into revealing credential theft, data exfiltration, supply chain attacks, and other hidden behavior.\n\n\u003C\u002Fdetails>\n\n---\n\n## SkillWard UI\n\n> **Try it online:** [skillward.fangcunleap.com](https:\u002F\u002Fskillward.fangcunleap.com\u002F)\n\nSkillWard UI provides a clean, intuitive web interface, supporting single or batch Skill submission, three scan modes (Quick Scan \u002F Sandbox Scan \u002F Deep Trace), and comprehensive scan results display.\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"50%\" align=\"center\">\u003Cb>Single Skill Scan\u003C\u002Fb>\u003C\u002Ftd>\n\u003Ctd width=\"50%\" align=\"center\">\u003Cb>Batch Scan\u003C\u002Fb>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cimg src=\".\u002Fresources\u002Fdemo.webp\" width=\"100%\" alt=\"Single Skill Scan Demo\" \u002F>\u003C\u002Ftd>\n\u003Ctd>\u003Cimg src=\".\u002Fresources\u002Fbatch-demo.webp\" width=\"100%\" alt=\"Batch Scan Demo\" \u002F>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n### Detailed Analysis Report\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"50%\" align=\"center\">\u003Cb>Report Overview + Three-Stage Analysis\u003C\u002Fb>\u003C\u002Ftd>\n\u003Ctd width=\"50%\" align=\"center\">\u003Cb>Threat Details + Detection Evidence + Recommendations\u003C\u002Fb>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>\u003Cimg src=\".\u002Fresources\u002Fscreenshot-detail.png\" width=\"100%\" alt=\"Analysis Report Details\" \u002F>\u003C\u002Ftd>\n\u003Ctd>\u003Cimg src=\".\u002Fresources\u002Fscreenshot-detail2.png\" width=\"100%\" alt=\"Analysis Report - Threats & Recommendations\" \u002F>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\nEach report includes: **Analysis Results** (three-stage verdicts, confidence scores, threat levels), **Issue Location** (file path, line number, highlighted code snippets), and **Remediation Suggestions** (actionable security recommendations).\n\n---\n\n## Benchmark\n\nWe evaluated SkillWard on a real-world AI Agent Skills dataset containing Skills collected from [ClawHub](https:\u002F\u002Fclawhub.ai\u002F) and known-malicious samples curated from security communities.\n\n### Pipeline Results\n\n#### Stage A + B: Static Scan + LLM Evaluation\n\nCombining **YARA rules, regex-based static analysis, and LLM semantic evaluation**, all Skills are quickly triaged: safe ~49%, unsafe ~13%, suspicious ~38%, where suspicious Skills are escalated to Stage C for sandbox verification.\n\n#### Stage C: Sandbox Verification\n\nAfter executing this batch of suspicious Skills end-to-end inside an isolated Docker sandbox, roughly **one-third** revealed potential threats that **neither static analysis nor LLM evaluation could catch**, including:\n\n- **Credential exfiltration** that only surfaces along the execution path\n- **Persistence backdoors** via `crontab` \u002F `SSH` \u002F startup scripts\n- **Postinstall supply-chain attacks** triggered during package installation\n- **Outbound exfiltration chains** identifiable only after correlating multi-step operations\n\nStage C verdict breakdown for these suspicious Skills:\n\n| Level | Meaning | % of suspicious |\n|---|---|---|\n| **safe** | Confirmed safe after sandbox verification | **~69%** |\n| **medium risk** | Medium-risk behavior (undeclared external requests, env-var harvesting, etc.) | **~17%** |\n| **high risk** | High-risk behavior (credential theft, persistence backdoors, remote code execution, etc.) | **~14%** |\n\n#### Overall\n\nAcross all stages: Stage A + B directly blocked ~**13%** unsafe Skills, and ~**38%** suspicious Skills entered the sandbox; among those suspicious Skills, ~**17%** were judged medium risk and ~**14%** were judged high risk.\n\n#### Common Threat Patterns (% of unsafe Skills)\n\n| Pattern | Occurrences |\n|---------|------------|\n| Credential theft (API keys, passwords, private keys) | 36% |\n| Undeclared external network requests | 24% |\n| Env var \u002F `.env` harvesting | 15% |\n| Remote code download and execution | 9% |\n| Persistence backdoor (crontab \u002F SSH \u002F startup) | 8% |\n| Supply chain and privilege escalation | 8% |\n\n> For detailed case studies and comparison, see [How does SkillWard address this challenge?](#how-does-skillward-address-this-challenge) above.\n\n---\n\n## Quick Start\n\n**Requirements:** Python 3.10+ \u002F Docker (sandbox) \u002F Node.js 18+ (UI mode)\n\n### 1. Install & Configure\n\n```bash\n# Clone the repository\ngit clone https:\u002F\u002Fgithub.com\u002FFangcun-AI\u002FSkillWard.git\ncd SkillWard\n\n# Install dependencies\npip install -r requirements.txt && pip install -e .\u002Fskill-scanner\n\n# Pull Docker sandbox image\ndocker pull fangcunai\u002Fskillward:amd64 # Intel\u002FAMD\ndocker pull fangcunai\u002Fskillward:arm64 # Apple Silicon\u002FARM\n\n# Configure environment variables (.env.example lists all available options — fill in as needed)\ncp guardian-api\u002F.env.example guardian-api\u002F.env\n```\n\n> For detailed configuration, see [Configuration Guide](docs\u002Fconfiguration.md)\n\n### 2. Run Scans\n\n```bash\n# Full pipeline (static + LLM + sandbox)\npython guardian-api\u002Fguardian.py \u002Fpath\u002Fto\u002Fskills-dir -o .\u002Foutput --enable-after-tool --parallel 4 -v\n\n# Stage A + B only (static + LLM, no Docker required)\npython guardian-api\u002Fguardian.py \u002Fpath\u002Fto\u002Fskills-dir --stage pre-scan -o .\u002Foutput -v\n\n# Stage C only (Docker sandbox)\npython guardian-api\u002Fguardian.py \u002Fpath\u002Fto\u002Fskills-dir --stage runtime -o .\u002Foutput --enable-after-tool --parallel 4\n```\n\n### 3. Common Scenarios\n\n```bash\n# Scan specific Skills only\npython guardian-api\u002Fguardian.py \u002Fpath\u002Fto\u002Fskills-dir -s skill-a,skill-b -o .\u002Foutput\n\n# Quick test run (first 10 Skills)\npython guardian-api\u002Fguardian.py \u002Fpath\u002Fto\u002Fskills-dir -n 10 -o .\u002Foutput\n\n# Increase sandbox timeout for complex Skills\npython guardian-api\u002Fguardian.py \u002Fpath\u002Fto\u002Fskills-dir --timeout 900 --prep-timeout 600 -o .\u002Foutput\n```\n\n> For more options and usage details, see [CLI Guide](docs\u002Fcli.md)\n\n> [!TIP]\n> **Optional: Launch Web UI**\n> ```bash\n> cd guardian-api && python guardian_api.py # API server\n> cd guardian-ui && npm install && npm run dev # Frontend\n> ```\n\n---\n\n## Repository Structure\n\n```\nSkillWard\u002F\n├── docs\u002F # Documentation (config, CLI, cases, comparison)\n├── guardian-api\u002F # Backend: scanning pipeline & API server\n│ ├── guardian.py # Core three-stage scanning engine\n│ └── guardian_api.py # FastAPI server (SSE streaming)\n├── guardian-ui\u002F # Frontend: Next.js web dashboard\n├── skill-scanner\u002F # Static analysis engine (15 analyzers)\n├── models\u002F # Data model definitions\n├── services\u002F # Business logic services\n├── utils\u002F # Utility functions\n├── resources\u002F # Banner, screenshots, demo assets\n├── requirements.txt\n├── README.md\n└── README_CN.md\n```\n\n| Guide | Description |\n|-------|-------------|\n| [Configuration](docs\u002Fconfiguration.md) | Quick start, LLM model providers, sandbox security monitoring, optional tuning |\n| [CLI Guide](docs\u002Fcli.md) | Full command-line reference, common usage, and output files |\n| [Showcase](docs\u002Fshowcase.md) | Real-world detection cases, how SkillWard catches threats in public Skills |\n| [Comparison](docs\u002Fcomparison.md) | Side-by-side analysis with two open-source scanning tools |\n\n---\n\n## 📋 Changelog\n\n| Date | Summary | Details |\n|------|---------|---------|\n| 2026-04-24 | 🧰 **Skill release** — published `skillward-audit-skill`, a Claude Code \u002F OpenClaw skill that lets agents audit any skill bundle (folder \u002F `.zip` \u002F `.tar.gz`) directly through the SkillWard service | [docs\u002FUPDATE_REPORT_2026-04-24.md](docs\u002FUPDATE_REPORT_2026-04-24.md) |\n| 2026-04-22 | 🛑 **UI refresh** — batch-scan progress is persisted automatically; added a scan-result reuse mechanism | [docs\u002FUPDATE_REPORT_2026-04-21.md](docs\u002FUPDATE_REPORT_2026-04-21.md) |\n| 2026-04-14 | 🧠 **Stage B prompt redesign** — Stage B LLM triage prompt upgraded to a structured System + User two-part prompt | [docs\u002FUPDATE_REPORT_2026-04-14.md](docs\u002FUPDATE_REPORT_2026-04-14.md) |\n| 2026-04-10 | 🔒 **Sandbox gateway stability fix** — fixed the OpenClaw Gateway daemon not starting, resolving the exec-approval failure | [docs\u002FUPDATE_REPORT_2026-04-10.md](docs\u002FUPDATE_REPORT_2026-04-10.md) |\n\n---\n\n## License\n\n[Apache License 2.0](LICENSE)\n","SkillWard 是一个针对AI代理技能的安全扫描工具,旨在在部署前发现隐藏的安全威胁。它结合了静态分析、大语言模型评估和沙箱验证三种技术手段,以全面识别潜在风险。SkillWard能够在隔离的Docker沙箱环境中执行可疑技能,从而提供运行时证据来替代不确定的警告信息。适用于需要对AI代理技能进行安全审查的各种场景,如开发、测试或发布前的安全检查阶段,有助于显著降低因使用未经充分审查的AI技能而带来的安全风险。","2026-06-11 02:48:58","CREATED_QUERY"]