← Back to Skills Marketplace
371
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install skill-guard-snyk-agent-scan
Description
Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads...
Usage Guidance
This wrapper appears to do what it says: download a skill to /tmp, run a Snyk Agent scan, and only install if clean. Before using it: 1) Verify the uv installer source (astral.sh) and prefer installing uv/uvx from a trusted package manager if possible (avoid copy-pasting arbitrary curl | sh commands). 2) Only provide a SNYK_TOKEN with the minimal scope needed for scanning; treat it like any secret. 3) When threats are reported, inspect the staged files in /tmp and the scan report before manually moving them into your skills directory. 4) Avoid using --skip-scan except when you explicitly accept the risk. Overall the design is coherent, but runtime downloads (uvx and the scanner package) are the primary residual risk — verify those upstream projects before trusting them.
Capability Analysis
Type: OpenClaw Skill
Name: skill-guard-snyk-agent-scan
Version: 1.0.3
The skill-guard bundle is a security utility designed to protect OpenClaw agents by scanning other skills for vulnerabilities before installation. The primary component, scripts/safe-install.sh, implements a secure workflow by downloading skills to a temporary staging directory, scanning them using the legitimate Snyk Agent Scan tool (via uvx), and only moving them to the active workspace if no threats are detected. No evidence of data exfiltration, malicious execution, or prompt injection was found; the code logic aligns perfectly with its stated purpose of enhancing agent security.
Capability Assessment
Purpose & Capability
Name/description say: pre-install scan using Snyk Agent Scan. The script fetches a skill to a staging area, invokes a scanner (uvx snyk-agent-scan@latest), and installs or quarantines based on results. Required tooling (clawhub, uvx) and SNYK_TOKEN are consistent with scanning-before-install behavior.
Instruction Scope
SKILL.md and safe-install.sh limit actions to staging a skill in /tmp, running the scanner, writing a scan report, and (optionally) moving the staged skill into the user's skills folder. The script reads CLAWHUB_WORKDIR (reasonable) and SNYK_TOKEN (required for authenticated scans). It does not attempt to read unrelated system secrets, modify other skills, or exfiltrate data itself.
Install Mechanism
There is no platform install spec, but the script expects uvx to run the scanner and documents installing uv via a curl | sh command (https://astral.sh/uv/install.sh). Running remote install scripts or using uvx to fetch and run 'snyk-agent-scan@latest' involves downloading and executing third-party code at runtime — this is expected for a scanner but is a moderate risk vector and worth verifying the sources before trusting them.
Credentials
Only SNYK_TOKEN (for authenticated scanning) and optional CLAWHUB_WORKDIR are used. That credential aligns with the stated need to run Snyk Agent Scan. No unrelated credentials or broad secrets are requested by the skill itself.
Persistence & Privilege
always is false and the skill does not request permanent agent inclusion or modify other skills' configs. It stages files in /tmp and moves them into the user's skills directory only when the scan passes (or when user explicitly chooses to install).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-guard-snyk-agent-scan - After installation, invoke the skill by name or use
/skill-guard-snyk-agent-scan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
**Skill-guard v1.0.3 changelog:**
- Fork of @jamesOuttake/skill-guard
- Switched scanner engine from "mcp-scan" to "Snyk Agent Scan" (reflects upstream rename/successor).
- Updated documentation to reference Snyk Agent Scan and new scanner requirements.
- Added a new exit code (3) for scanner availability/configuration errors, making it clear when the scan cannot run (e.g., missing SNYK_TOKEN).
- Improved error handling: the installer now explicitly separates scanner setup errors from skill security issues.
- Minor documentation updates for clarity and accuracy.
Metadata
Frequently Asked Questions
What is skill-guard w Snyk Agent Scan?
Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads... It is an AI Agent Skill for Claude Code / OpenClaw, with 371 downloads so far.
How do I install skill-guard w Snyk Agent Scan?
Run "/install skill-guard-snyk-agent-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skill-guard w Snyk Agent Scan free?
Yes, skill-guard w Snyk Agent Scan is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skill-guard w Snyk Agent Scan support?
skill-guard w Snyk Agent Scan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skill-guard w Snyk Agent Scan?
It is built and maintained by pepe (@firefrog-pepe); the current version is v1.0.3.
More Skills