← Back to Skills Marketplace
291
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install security-skiil-scanner
Description
Security vetting protocol before installing any AI agent skill. Red flag detection for credential theft, obfuscated code, exfiltration. Risk classification L...
Usage Guidance
This skill mostly looks like a legitimate vetting checklist and quick-commands guide, but there are red flags that justify caution:
- Metadata mismatches: the registry name/slug/owner differ from SKILL.md/_meta.json/README. That could be a packaging mistake or an attempt to masquerade as another skill — verify the correct author and slug before installing.
- Undeclared dependency: the docs call 'clawhub install' but 'clawhub' is not listed in required binaries. Ensure you have the expected CLI tools and understand what the script will run.
- Scope: the vetter tells the agent to download and 'cat' all files in a repo; that will expose any secrets embedded in the package being inspected. That is expected for vetting, but you should not run it against packages you don't trust or that might contain sensitive files.
Recommended actions before installing:
1) Manually verify the skill’s source (author account, repo URL, ClawHub verified badge). Confirm ownerId/slug match the publisher.
2) Run the vetting commands yourself in a controlled environment (container or VM) rather than allowing an agent to run them autonomously.
3) Add 'clawhub' to your checklist of prerequisites if you plan to follow the SKILL.md instructions, or modify the instructions to use only declared tools.
4) If you need high assurance, refuse installation until the metadata inconsistencies are resolved and the publisher identity is confirmed.
Capability Analysis
Type: OpenClaw Skill
Name: security-skiil-scanner
Version: 1.0.0
This skill is a security vetting tool designed to help an AI agent identify malicious code, data exfiltration, and prompt injection attempts in *other* skills. While it instructs the agent to use powerful commands like `curl` and `clawhub install` (to a temporary directory), these actions are explicitly for the purpose of analyzing external skills, not for self-exploitation or malicious behavior by this skill itself. The `SKILL.md` clearly outlines red flags to look for and provides examples of malicious code as illustrations, not as code to be executed by the vetting skill. Its purpose is to enhance security, not compromise it.
Capability Assessment
Purpose & Capability
The SKILL.md describes a vetting tool that needs network checks (GitHub/ClawHub) and text inspection; requiring curl and jq is consistent. However there are incoherences: the registry lists this package as 'security-skiil-scanner' while SKILL.md and README call it 'skill-vetter' / 'openclaw-skill-vetter'; _meta.json slug/ownerId differ from the registry metadata. The README/SKILL.md also instructs use of the 'clawhub' CLI but 'clawhub' is not declared in required binaries.
Instruction Scope
Instructions explicitly direct the agent to download repos, list and cat all skill files, and call GitHub APIs — actions that are appropriate for a vetting tool. This scope is broad (it tells the agent to 'read ALL files' in a fetched package), which is expected for vetting but will reveal any secrets embedded in the inspected repo. The instructions do not request secrets or system credentials, but they do instruct network access to GitHub/ClawHub domains.
Install Mechanism
No install spec (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install model and matches the skill being a guidance/protocol document.
Credentials
The skill requests no environment variables or credentials (primaryEnv none). That is proportionate to a vetting/protocol skill. It will, however, instruct network calls which are necessary for its checks.
Persistence & Privilege
always:false and default model invocation are in place. The skill does not request permanent elevated privileges or to modify other skills' config. Autonomous invocation is allowed by default (not flagged here) but combine with other concerns when deciding to allow autonomous runs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install security-skiil-scanner - After installation, invoke the skill by name or use
/security-skiil-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Security Skill Scanner – skill-vetter.
- Provides a systematic security vetting protocol for AI agent skills before installation.
- Detects red flags such as credential theft, obfuscated code, and unauthorized exfiltration.
- Classifies risk as LOW, MEDIUM, HIGH, or EXTREME, with clear install recommendations.
- Includes detailed checklists and report templates for consistent vetting.
- Supports vetting for skills from ClawHub and GitHub; includes practical code review commands.
- Strongly advises never installing untrusted skills without running this process first.
Metadata
Frequently Asked Questions
What is security-skiil-scanner?
Security vetting protocol before installing any AI agent skill. Red flag detection for credential theft, obfuscated code, exfiltration. Risk classification L... It is an AI Agent Skill for Claude Code / OpenClaw, with 291 downloads so far.
How do I install security-skiil-scanner?
Run "/install security-skiil-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is security-skiil-scanner free?
Yes, security-skiil-scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does security-skiil-scanner support?
security-skiil-scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).
Who created security-skiil-scanner?
It is built and maintained by firebroo (@firebroo); the current version is v1.0.0.
More Skills