← Back to Skills Marketplace
103
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install xiaopi-skill-vetter
Description
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,...
Usage Guidance
This skill is essentially a human-readable vetting checklist and is coherent with its stated purpose, but treat it as guidance rather than an automated authority. Before installing or letting an agent run this vetter autonomously: 1) Verify provenance — the package metadata shows inconsistent owner IDs and no homepage; prefer skills with clear authorship. 2) Run any vetting actions in a sandbox or ephemeral VM so curl/raw file fetches can't cause harm. 3) Limit the agent's file-read scope to the skill package directory (do not let it read your home, ~/.ssh, ~/.aws, or other sensitive paths). 4) Manually confirm that the agent does not automatically transmit any collected data to external endpoints. 5) Treat the output of this skill as advisory and perform a human code review for high-risk skills. If you need higher assurance, ask for the publisher's identity or a signed release before trusting automated vetting.
Capability Analysis
Type: OpenClaw Skill
Name: xiaopi-skill-vetter
Version: 1.0.0
The skill is a security utility designed to help AI agents vet other skills before installation. It provides a structured protocol, red flag checklists, and risk assessment levels in SKILL.md. The included shell commands are limited to fetching metadata and file contents from the GitHub API for review purposes, and no malicious intent or high-risk behaviors were identified.
Capability Assessment
Purpose & Capability
The name and description (skill vetting) align with the SKILL.md content: it is an instruction-only vetting protocol that teaches how to review skills and provides curl examples for GitHub. It does not request unrelated credentials or binaries. However, the package metadata is inconsistent: the registry metadata ownerId (kn7256...) differs from _meta.json.ownerId (kn71j6...), and source/homepage are unknown — a provenance gap worth noting.
Instruction Scope
Instructions are narrowly focused on reviewing skill files, checking red flags, and using GitHub API/raw.githubusercontent to fetch files. This is appropriate. Two caution points: (1) the SKILL.md tells the agent to "Read ALL files in the skill" — that should be limited to the skill package area (not host home directories) to avoid accidental exposure of unrelated secrets; (2) Quick Vet Commands run network requests (curl) — expected, but network activity should be sandboxed and results validated.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install profile and consistent with the stated purpose.
Credentials
The skill requires no environment variables, credentials, or config paths. The guidance and quick commands are network/HTTP checks that don't demand secrets. This is proportionate to a vetting checklist.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does not request persistent presence or elevated privileges. There are no instructions to modify other skills or global agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xiaopi-skill-vetter - After installation, invoke the skill by name or use
/xiaopi-skill-vetter - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skill-vetter — a security-first vetting protocol for AI agent skills.
- Provides a step-by-step checklist to review skill sources, code, permission scopes, and risk levels before installation.
- Lists critical red flags for immediate rejection and offers a clear risk classification framework.
- Includes a standardized vetting report template for documenting evaluations.
- Offers quick commands for assessing GitHub-hosted skills.
- Establishes a trust hierarchy and best practices to minimize security risks when installing new skills.
Metadata
Frequently Asked Questions
What is Xiaopi Skill Vetter?
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,... It is an AI Agent Skill for Claude Code / OpenClaw, with 103 downloads so far.
How do I install Xiaopi Skill Vetter?
Run "/install xiaopi-skill-vetter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xiaopi Skill Vetter free?
Yes, Xiaopi Skill Vetter is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xiaopi Skill Vetter support?
Xiaopi Skill Vetter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xiaopi Skill Vetter?
It is built and maintained by Adin (@a-din); the current version is v1.0.0.
More Skills