← Back to Skills Marketplace
Skill Vetting Tianjin
by
tianjin-ren
· GitHub ↗
· v1.1.1
· MIT-0
253
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install skill-vetting-tianjin
Description
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing w...
Usage Guidance
This skill appears to implement a local scanner and guidance for vetting other skills, but do not install or run it blindly. Before using it: (1) Verify the missing/mentioned files (e.g., mediate.py) or confirm the author intentionally omitted them; (2) Inspect scripts/scan.py locally to confirm it performs only local regex scanning (no network calls, no eval/exec, no subprocess.shell=True); (3) Be aware SKILL.md contains prompt-injection examples that will trip pattern detectors — treat those as test data, not operational instructions; (4) Check the metadata mismatch (ownerId/version) and confirm author identity; (5) Run the scanner in an isolated environment (container or VM) and manually review any CRITICAL findings before taking automated actions. If you need automated deployment, ensure your pipeline distinguishes 'example text' from live code to avoid false auto-rejects.
Capability Analysis
Type: OpenClaw Skill
Name: skill-vetting-tianjin
Version: 1.1.1
The skill is a security utility designed to help AI agents vet other ClawHub skills for malicious patterns and utility. It includes a Python-based regex scanner (scripts/scan.py) that identifies dangerous functions (eval, exec, shell=True), obfuscation, and social engineering attempts. While SKILL.md contains instructions regarding prompt injection, these are defensive guidelines intended to harden the agent's review process rather than malicious overrides. The logic is transparent and aligned with its stated purpose.
Capability Assessment
Purpose & Capability
The skill claims to be a vetting tool and includes a scanner (scripts/scan.py) and extensive documentation — that's coherent. However the ARCHITECTURE.md describes a 'mediate.py' mediator and a v2.0 workflow that are referenced but not included in the bundle; _meta.json version/ownerId differs from registry metadata; SKILL.md commands assume a specific install location (~/.openclaw/workspace/skills/skill-vetting) which may not match how the skill is installed. These mismatches suggest sloppy packaging or incomplete implementation and should be resolved before trusting automated workflows.
Instruction Scope
Runtime instructions are narrowly scoped to downloading a skill ZIP into /tmp, running the included scanner, and performing manual review — appropriate for a vetting tool. The SKILL.md also deliberately contains examples of prompt-injection text and regexes to detect them; that defensive content will trigger pattern detectors (and indeed a pre-scan found such a pattern). This is expected for a vetting tool but could cause naive automation to auto-reject or behave oddly if not handled carefully.
Install Mechanism
There is no install spec (instruction-only style) and the scanner runs locally. No remote downloads or extracted archives are performed by the skill itself. This is low-risk compared to skills that fetch arbitrary code at install time.
Credentials
The skill declares no required env vars, credentials, or config paths. The included scanner operates on local files and contains no code that requests remote credentials. No overbroad environment access is requested.
Persistence & Privilege
always:false and no privileged persistence or modifications to other skills are requested. The skill does not claim to run persistently or alter system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-vetting-tianjin - After installation, invoke the skill by name or use
/skill-vetting-tianjin - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
- No functional changes; documentation only.
- SKILL.md content remains unchanged.
- Version bumped to 1.1.1 for consistency.
v1.1.0
- Major documentation update: Added a comprehensive SKILL.md with detailed security vetting workflow, prompt injection guidance, manual review steps, and scanner limitations.
- Clearly defines rules for handling prompt injection and in-file manipulation attempts.
- Provides explicit red flags and a decision matrix for skill approval/rejection.
- Includes quick command-line recipes for safe skill inspection.
- Lists known scanner bypass patterns and manual review heuristics to increase overall skill security.
Metadata
Frequently Asked Questions
What is Skill Vetting Tianjin?
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing w... It is an AI Agent Skill for Claude Code / OpenClaw, with 253 downloads so far.
How do I install Skill Vetting Tianjin?
Run "/install skill-vetting-tianjin" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Vetting Tianjin free?
Yes, Skill Vetting Tianjin is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Vetting Tianjin support?
Skill Vetting Tianjin is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Vetting Tianjin?
It is built and maintained by tianjin-ren (@tianjin-ren); the current version is v1.1.1.
More Skills