← Back to Skills Marketplace
Skill Preflight Checker
by
cp3d1455926-svg
· GitHub ↗
· v1.0.0
· MIT-0
81
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install skill-preflight-checker
Description
技能预检检查器。在安装任何技能前进行安全检查,验证作者声誉、检查恶意脚本、分析权限需求,防止安装恶意技能。
Usage Guidance
This skill appears to be what it claims (a preflight checker) but there are some important cautions: (1) The metadata does not list required tools — the instructions expect npm, docker, jq, grep, tar, etc.; verify those are available and intended. (2) Follow the container test steps carefully: avoid mounting sensitive host folders into the container (do not mount your home or .ssh), run the container with network disabled if you only want static checks, and don’t run as root. Prefer npm pack + static analysis and offline scanning rather than running npm install on untrusted packages. (3) Ask the author to update the skill metadata to declare required binaries and to add safer, explicit container options (e.g., --network=none, no host mounts, use ephemeral temp directories). If you cannot verify or enforce those safeguards, run preflight checks in a fully isolated VM/sandbox rather than on your primary host.
Capability Analysis
Type: OpenClaw Skill
Name: skill-preflight-checker
Version: 1.0.0
The skill is a security auditing tool designed to inspect other packages for malicious behavior before installation. It uses standard utilities like `npm`, `grep`, and `docker` to check author reputation, scan for dangerous functions (e.g., `eval`, `exec`), and identify access to sensitive files (e.g., `.ssh`, `.env`) within target packages. The logic in `SKILL.md` and the provided `preflight_check.sh` script is consistent with its defensive purpose and lacks evidence of malicious intent, obfuscation, or data exfiltration.
Capability Assessment
Purpose & Capability
The SKILL.md describes exactly the activities one would expect for a preflight checker (author reputation checks, scanning package scripts, searching for risky patterns, and running containerized tests). However the registry metadata declares no required binaries or tools even though the instructions require npm, docker, jq, grep, tar, and similar tools; and some claims (e.g., 'check author on ClawHub') lack concrete commands. This is a coherence gap between claimed capabilities and declared requirements.
Instruction Scope
Runtime instructions direct the agent to run npm view, grep/search package contents, npm pack/tar extraction, and to run docker containers that mount the current working directory (docker run -v $(pwd):/app node:alpine npm install package-name). Mounting host directories and running npm install (even inside a container) can expose host files and execute package install scripts. The instructions also suggest scanning for ~/.ssh and .env patterns — they do not explicitly restrict access to only package files. These steps are reasonable for a preflight tool but carry non-trivial risk and should be run with stricter isolation and explicit safeguards.
Install Mechanism
This is instruction-only with no install spec and no code files to execute from the skill itself. That minimizes the skill's own installation footprint.
Credentials
The skill requests no environment variables or credentials (appropriate for a checker). However the instructions search for references to sensitive paths (e.g., ~/.ssh, .env) and recommend mounting host directories into containers; that could lead to accidental access to sensitive host data if the operator follows the instructions naively. Declaring required tools (npm, docker, jq, grep, tar) in metadata would also make expectations clearer.
Persistence & Privilege
always:false and no install-time persistence or modifications to other skills are requested. The skill does not request elevated persistent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-preflight-checker - After installation, invoke the skill by name or use
/skill-preflight-checker - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: skill-preflight-checker 1.0.0
- Provides automated preflight security checks before skill installation.
- Checks author reputation, scans for malicious scripts and commands, analyzes permission needs, and tests in a containerized environment.
- Generates detailed safety reports, flags risks, and offers install recommendations (safe/cautious/reject).
- Includes scripts and reference templates for automated scanning and checklist use.
- Designed to help prevent malicious or high-risk skills from being installed.
Metadata
Frequently Asked Questions
What is Skill Preflight Checker?
技能预检检查器。在安装任何技能前进行安全检查,验证作者声誉、检查恶意脚本、分析权限需求,防止安装恶意技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.
How do I install Skill Preflight Checker?
Run "/install skill-preflight-checker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Preflight Checker free?
Yes, Skill Preflight Checker is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Preflight Checker support?
Skill Preflight Checker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Preflight Checker?
It is built and maintained by cp3d1455926-svg (@cp3d1455926-svg); the current version is v1.0.0.
More Skills