skill-issue

Disclaimer: This code is generated and experimental, and is not necessarily intended to be extended upon.

A TUI to discover potentially malicious skills in ClawHub by scraping SKILL.md/SOUL.md and scanning them with YARA rules.

Quick start (TUI)

# Launch the TUI (default targets: clawhub.ai, onlycrabs.ai)
go run .

# Launch with custom targets / output / rules
go run . -targets "https://example.com,https://another.com" -out outdir -rules rules

# Launch with debug logging
go run . -log-level debug

Single scan (CLI)

# Scan a single remote SKILL.md or SOUL.md (downloads to out/single/<host>/)
go run . -scan-url "https://clawhub.ai/skills/example/SKILL.md"

# Scan a local SKILL.md
go run . -scan-file "/path/to/SKILL.md"

TUI basics

You’ll spend most of your time in the tabs across the top:

• Target: targets or single URL, output dir, rules dir, matches file path
• Downloads: download progress + current item
• YARA: rule mode (all vs selected) + scan progress
• Matches: per-file matches with line/column
• Logs: recent activity and warnings

Keys

• ←/→ or h/l switch tabs
• tab next field
• e / enter edit field
• j/k move in lists
• g/G jump to top/bottom
• d download
• y scan
• w write matches to file
• r toggle all/selected rules
• s toggle scan mode (batch vs single URL)
• space toggle rule selection (when in selected mode)
• q quit

Typical flow

1. Target → confirm targets/output/rules.
2. Downloads → press d (download + scan).
3. YARA → press y to re-scan existing files.
4. Matches → review hits, then press w to save them.

Single URL flow

1. Target → set Single URL.
2. Press s to switch to single URL mode.
3. Press y to download + scan in one step.

Notes

• Downloads are cached: already-downloaded files are reused.
• y will scan existing downloaded files even after a restart.
• Matches include line:column for each YARA string hit.

Requirements

• Go 1.22+
• libyara installed (go-yara uses CGO; required for scanning)