Frisk

⚡ Frisk

Frisk is a local-first security scanner for ClawHub skills. It runs 7 autonomous checks against 9 live threat intelligence feeds and returns a structured verdict — pass, warn, or fail — before you install.

Unlike instruction-card security skills that tell agents what to look for, Frisk actually runs the checks: dependency lookups against CISA KEV and OSV, credential scanning with Gitleaks, malware pattern matching with YARA, IOC matching against ThreatFox/URLhaus/MalwareBazaar/Feodo, behavioral analysis for eval and injection patterns, and prompt injection detection in SKILL.md files.

All scanning is offline. No telemetry. No phone-home. No data leaves your machine.

When to use

• Before installing a skill from ClawHub — verify it is safe
• Before publishing your own skills — catch issues early
• When reviewing skills for your team or organization
• As part of CI/CD or pipeline validation
• When you want to verify a skill is safe before trusting it with your environment
• Any time an agent encounters an untrusted skill and needs a security check

Quick start

frisk scan weather-forecast        # Scan by ClawHub slug
frisk scan ./my-skill              # Scan a local skill directory
frisk scan ./my-skill --checks dep-scan,secret-scan
frisk scan ./my-skill --json       # JSON output for pipelines

First run sets up a Python venv and syncs threat intel automatically. After that, scanning works with zero configuration.

How it works

Frisk downloads the skill to a sandboxed 0700 temp directory, strips execute bits from all files, suppresses npm install scripts, runs all enabled checks against the local intel cache, produces a structured JSON report with findings, and cleans up the downloaded skill.

Exit codes: 0 = pass, 1 = warn, 2 = fail

Checks

| Check | What it does |

|-------|-------------|

| dep-scan | Cross-references dependencies against CISA KEV and OSV databases |

| static-analysis | Runs Semgrep rules for security anti-patterns (offline, no phone-home) |

| secret-scan | Scans for hardcoded API keys, tokens, and credentials using Gitleaks |

| yara-scan | Matches files against YARA rules for malware patterns |

| ioc-match | Matches IPs, domains, URLs, and file hashes against ThreatFox, URLhaus, MalwareBazaar, and Feodo Tracker |

| behavioral | Detects eval usage, shell injection, data exfiltration vectors, DNS tunneling |

| prompt-inject | Detects prompt injection and instruction-hiding patterns in SKILL.md |

Threat intel sources (9)

CISA KEV, OSV (npm + PyPI), EPSS, MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker, YARA Rules, Semgrep Rules

Run frisk sync to refresh the intel cache. First scan auto-syncs if no cache exists.

Parameters

When an agent invokes this skill through OpenClaw:

• target (required) — Local directory path or ClawHub skill slug. If a slug is given, the skill is downloaded to a sandboxed temp directory, scanned, and removed.
• checks (optional) — Comma-separated list: dep-scan, static-analysis, secret-scan, yara-scan, ioc-match, behavioral, prompt-inject. Default: all 7.
• json (optional) — Output results as JSON for programmatic use.

Security and Privacy

• No telemetry, no phone-home, no analytics. All scanning is local.
• During scan, zero network requests. All intel is read from the local cache.
• During sync, only public threat intel feeds are contacted. No skill code or scan targets are ever transmitted externally.
• Slug scans are sandboxed: 0700 temp dir, execute bits stripped, npm scripts suppressed, cleaned up after scanning.

Local files

• Read: ~/.frisk/intel/ (threat intel cache), skill directory passed as target
• Written: ~/.frisk/intel/, ~/.frisk/reports/, ~/.frisk/venv/, ~/.frisk/frisk.log
• First sync downloads approximately 50-100 MB of threat intel data

Install

npm install -g @lowwattlabs/frisk

Or let OpenClaw install it via the skill install spec above.

License

MIT-0