Description

Trust-then-verify integrity scanner for local repos and OpenClaw skills. Use when you want to scan before trust, save a trusted baseline, compare after updat...

README (SKILL.md)

Skill Drift Guard

Name: Driftguard
Author: david90232

Trust what you review. Compare what changed later.

Use this skill for local integrity checks and post-update drift detection on repos or installed skills.

This skill is intentionally narrower than a generic security scanner. Its best use is:

scan a local skill folder or repo before trust
save a trusted baseline after review
compare later to answer what changed since trust
highlight risky new capabilities like shell, network, sensitive file access, symlinks, dependencies, or install hooks

Quick start

Run the scanner directly from the installed skill folder:

node {baseDir}/scripts/cli.js scan \x3Cpath>

Save a trusted baseline after review:

node {baseDir}/scripts/cli.js trust \x3Cpath>

Save a trusted baseline to a custom location:

node {baseDir}/scripts/cli.js trust \x3Cpath> --baseline ./reports/skill-baseline.json

Compare a skill or repo against a saved baseline:

node {baseDir}/scripts/cli.js compare \x3Cpath> --baseline ./reports/skill-baseline.json

Recommended workflow

1. Scan before trust

Review the candidate repo or skill first.

node {baseDir}/scripts/cli.js scan /path/to/skill

Treat high or critical output as a stop sign until manually reviewed.

2. Trust after review

If the findings are acceptable, save a trusted baseline.

node {baseDir}/scripts/cli.js trust /path/to/skill

3. Compare after updates

After the skill changes or updates, compare it to the saved baseline.

node {baseDir}/scripts/cli.js compare /path/to/skill --baseline ./reports/baseline.json

Look especially for:

newly added or changed files
new shell or network findings
dependency or install-hook drift
new symlinks or sensitive file references

What it checks

risky shell execution patterns like curl | bash, eval, exec, subprocess, os.system
outbound network patterns like fetch, axios, requests, curl, webhook usage
references to sensitive files like .env, SSH keys, SOUL.md, MEMORY.md, OpenClaw config
prompt injection style content in SKILL.md, SOUL.md, MEMORY.md
obfuscation hints like base64 helpers and long encoded blobs
symlink drift without following symlinks
dependency drift in package.json, requirements.txt, and pyproject.toml
install-hook changes in package.json
combo risks like:
- shell + network
- network + sensitive files
- shell + prompt-injection signals
- obfuscation + active capabilities

Config suppressions

Use a .driftguard.json file in the scan root, or pass --config \x3Cfile>.

Example:

{
  "ignorePaths": ["dist/", "fixtures/"],
  "ignoreRules": ["net.fetch", "shell.exec_generic", "shell.*"]
}

Use suppressions sparingly. If a rule is noisy, prefer narrowing it later instead of muting the whole category.

Exit codes

0 for low risk and no drift
1 for medium risk or drift detected
2 for high or critical risk

Use this for CI or install gating.

Positioning

Use this skill when you want a transparent, local, deterministic trust workflow. Do not use it as the sole authority for safety. It is a heuristic scanner plus drift guard, not a guarantee.

Usage Guidance

This package appears to be a legitimate local 'trust-then-verify' scanner, but check a few things before using it: - Node requirement: The README/commands run the bundled CLI via `node ...`. Ensure you have a trusted Node runtime and that the metadata (if shown to users) correctly documents this dependency. - Inspect code first: The skill runs locally and will read and hash files under any target path you provide. Open and review scripts/cli.js and scripts/scanner.js to confirm you are comfortable with what will be read (avoid scanning folders with secrets unless intended). - Prompt-injection text: SKILL.md contains phrases that match prompt-injection patterns. That is likely intentional (the scanner detects those phrases), but avoid passing the SKILL.md content verbatim into other agents or granting the skill autonomous rights without review. - Autonomous invocation: If you allow the agent to invoke skills autonomously, consider whether you want it to be able to run arbitrary local scans. Autonomous use increases the potential for unintended access to local files. - Trust workflow: Use the scanner as a heuristic and follow the recommended trust-then-verify workflow — do not treat the tool as an absolute guarantee. If you want this skill to be less risky in automated contexts, ask the author to: (1) declare Node as a required binary in the metadata, (2) remove or clearly mark prompt-injection example lines to reduce accidental interpretation, and (3) add guidance about scanning directories containing secrets.

Capability Analysis

Type: OpenClaw Skill Name: driftguard Version: 0.2.4 The DriftGuard skill is a security-focused integrity scanner designed to establish a trusted baseline for local repositories and detect 'drift' (changes) over time. It uses heuristic regex patterns (defined in scripts/rules.js) to identify risky capabilities such as shell execution, network access, and sensitive file references, and it computes SHA-256 hashes (in scripts/scanner.js) to track file modifications. The tool operates entirely locally using standard Node.js modules, lacks any network exfiltration logic, and its instructions in SKILL.md are consistent with its stated purpose of providing a transparent, deterministic trust workflow.

Capability Tags

crypto

Capability Assessment

ℹ Purpose & Capability

The name, description, SKILL.md, and included code implement a local integrity/drift scanner — this matches the stated purpose. However the package/registry metadata claims no required binaries while the instructions explicitly tell users to run the scanner with `node {baseDir}/scripts/cli.js` (i.e., Node is required). That mismatch is a proportionate but notable omission; a legitimate skill of this form would normally declare a Node/runtime requirement.

⚠ Instruction Scope

SKILL.md instructs the agent/user to run the supplied Node CLI against arbitrary local paths (scan/trust/compare). That's expected for a local scanner, but the SKILL.md also contains text that matches prompt-injection patterns (pre-scan flagged 'ignore-previous-instructions'). In context this appears to be example/detection text (the scanner is built to detect prompt-injection phrases), but any SKILL.md that includes phrases like 'ignore previous instructions' can accidentally be interpreted by some agent tooling. Review the SKILL.md and included files before running them with elevated or autonomous privileges.

✓ Install Mechanism

There is no external install spec and no network downloads — all sources are present in the skill bundle (scripts/*.js). This avoids the highest-risk patterns (remote downloads/exec). The code will run locally under Node and reads local files, so risk is confined to the privileges granted when you execute it.

ℹ Credentials

The skill declares no required environment variables or credentials, which is consistent with a local scanner. The scanner will read any files under the target path (including .env, keys, OpenClaw configs) to identify references; that behavior is appropriate for its purpose but means you should avoid scanning directories that contain secrets unless you intend to. No secret exfiltration endpoints are present in the code.

ℹ Persistence & Privilege

The skill is not always-included (always:false) and is user-invocable by default. Model invocation is allowed (disable-model-invocation:false) — this is normal platform behavior but do note that an autonomously-invoking agent could run this scanner against local paths if given the permission. Given the scanner's ability to read arbitrary files, enabling autonomous invocation increases the blast radius and should be considered before granting that capability.

Version History

v0.2.4

Reduce ClawHub static-scan false positive, update OpenClaw {baseDir} usage examples, and fix command-level help handling.

v0.2.3

Clean up ClawHub package contents: remove generated report artifacts and keep only the intentional skill files, while preserving the v0.2 trust workflow and updated commands.

v0.2.2

Align ClawHub package with v0.2 trust workflow: add trust command, clarify compare/trust baseline usage, improve positioning/copy, and sync packaged scripts with reviewed repo changes.

v0.2.1

Fix packaged CLI help/examples to use scripts/cli.js consistently.

v0.2.0

v0.2: stronger trust summaries, better manifest drift detection, and template-literal scan fix.

v0.1.2

Fix skill runtime packaging, unify script paths, and sharpen artifact usability.

v0.1.1

Sharpened positioning: scan before trust, compare after updates.

v0.1.0

Initial release: local-first integrity and drift scanner for skills and repos.

Metadata

Slug driftguard

Version 0.2.4

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 8

Frequently Asked Questions

What is Driftguard?

Trust-then-verify integrity scanner for local repos and OpenClaw skills. Use when you want to scan before trust, save a trusted baseline, compare after updat... It is an AI Agent Skill for Claude Code / OpenClaw, with 327 downloads so far.

How do I install Driftguard?

Run "/install driftguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Driftguard free?

Yes, Driftguard is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Driftguard support?

Driftguard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Driftguard?

It is built and maintained by david90232 (@david90232); the current version is v0.2.4.

More Skills

Driftguard