← Back to Skills Marketplace
marianachow0321

Pre-installation Security Check

by marianachow0321 · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
121
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install preinstall-security-check
Description
Pre-installation security assessment for ClawHub skills. Run before any skill install.
Usage Guidance
This skill appears to implement a reasonable pre-install security workflow, but there are unresolved inconsistencies you should address before trusting it: 1) The README references CLI wrapper/setup scripts to enforce checks, but those scripts are not included — ask the author why and request the wrapper code if you expect CLI-level enforcement. 2) Because the skill can spawn sub-agents and run 'openclaw skill install' inside them, confirm how your agent platform sandboxes sub-agents and whether those sub-agents truly isolate network, credentials, and persistent storage. 3) Review the upstream GitHub repo (the skill will fetch metadata) yourself before approving any automatic install; verify stars, recent commits, and look for the missing scripts. 4) Prefer to run the first few checks manually or in a tightly controlled environment (throwaway account or VM) until you confirm the tool's behavior. If you plan to allow autonomous invocation, require higher trust (e.g., verified org, included wrapper code, or an explicit manual review) before giving it free rein.
Capability Analysis
Type: OpenClaw Skill Name: preinstall-security-check Version: 1.0.1 This skill functions as a security shim that intercepts 'install' commands to perform risk scoring and sandbox analysis. While the stated intent is protective, it exhibits high-risk behavior by spawning sub-agents to execute third-party code during analysis and referencing missing CLI enforcement scripts (scripts/setup-cli-enforcement.sh) designed to intercept terminal commands. The sandbox procedure in references/sandbox-procedure.md requires installing the target skill to analyze it, which could lead to unintended execution if the platform's sub-agent isolation is bypassed.
Capability Assessment
Purpose & Capability
The name/description (pre-install security check) match the runtime instructions (fetch metadata, score, optionally spawn a sandbox sub-agent and report). However README and SKILL.md claim additional CLI-level enforcement via scripts (scripts/openclaw-security-wrapper.sh and setup-cli-enforcement.sh) that are referenced in documentation but are not present in the shipped file manifest — this mismatch is unexplained and reduces trust.
Instruction Scope
SKILL.md instructs the agent to fetch ClawHub/GitHub metadata, compute risk, and (when appropriate) spawn an isolated sub-agent to run 'openclaw skill install' and grep the installed files for risky patterns. Those actions are within the stated purpose, but two issues stand out: (1) the sub-agent will execute 'openclaw skill install' automatically in sandboxed context — if the parent agent invokes this skill autonomously it may trigger installs inside subagents without obvious user-visible steps; (2) SKILL.md asserts 'Security check cannot be skipped or bypassed', yet the README admits users can bypass via terminal and references wrapper scripts that are not included. The combination of claimed enforcement and missing enforcement artifacts is concerning.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute on the host. That minimizes direct installation risk; there are no download URLs or extract operations in the bundle.
Credentials
The skill declares no required environment variables, binaries, or config paths. The sandbox grep looks for references to common credential paths (e.g., ~/.ssh, ~/.aws) but it does not request credentials itself. Requested privileges are therefore proportionate to the stated purpose.
Persistence & Privilege
always:false and disable-model-invocation:false (defaults) are appropriate. However, the skill's ability to spawn sub-agents and run an install workflow means an agent could perform sandbox tests (and in-subagent installs) autonomously if it chooses to invoke this skill — this increases blast radius relative to a purely manual check. The missing CLI wrapper (referenced as preventing bypass) would have introduced more persistence; its absence reduces but does not eliminate risk.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install preinstall-security-check
  3. After installation, invoke the skill by name or use /preinstall-security-check
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Removed internal reference documentation and helper scripts no longer needed for runtime use. - Skill functionality and user workflow remain unchanged.
v1.0.0
Initial release of ClawHub Security Check – a mandatory pre-install security assessment for ClawHub skills. - Performs automated risk assessment before any skill installation. - Fetches skill details from ClawHub and GitHub to determine author, activity, and trust indicators. - Calculates a risk score (0–100) with clear thresholds for approval, sandboxing, or rejection. - Optionally runs an isolated sandbox analysis for moderate/high-risk or unknown skills. - Generates a structured security report with verdict and recommendations. - Requires explicit user confirmation before installation; does not allow bypassing security checks.
Metadata
Slug preinstall-security-check
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Pre-installation Security Check?

Pre-installation security assessment for ClawHub skills. Run before any skill install. It is an AI Agent Skill for Claude Code / OpenClaw, with 121 downloads so far.

How do I install Pre-installation Security Check?

Run "/install preinstall-security-check" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pre-installation Security Check free?

Yes, Pre-installation Security Check is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Pre-installation Security Check support?

Pre-installation Security Check is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pre-installation Security Check?

It is built and maintained by marianachow0321 (@marianachow0321); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments