← Back to Skills Marketplace
250
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-security-vetter
Description
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,...
Usage Guidance
This is a coherent, instruction-only vetter appropriate for pre-install checks. Before using it, ensure the agent executing these instructions is sandboxed so "read ALL files" is scoped to the skill package (not the whole filesystem). The vetting commands use public GitHub endpoints — avoid running them against private/restricted hosts unless you trust the network. Remember: the vetter reports red flags but does not itself verify semantics; for HIGH/EXTREME cases perform a manual human review and do not grant credentials or elevated rights to a skill based solely on this automated report.
Capability Analysis
Type: OpenClaw Skill
Name: skill-security-vetter
Version: 1.0.0
The skill is a security-focused utility designed to help AI agents vet other skills before installation. It provides a structured protocol for identifying red flags such as data exfiltration, credential theft, and obfuscated code. The included shell commands in SKILL.md are limited to fetching repository metadata and file contents from the GitHub API for auditing purposes, aligning perfectly with its stated defensive purpose.
Capability Assessment
Purpose & Capability
The skill's name/description (a skill vetter) matches the instructions: it mandates reviewing files, checking sources, and querying public GitHub endpoints. It does not request unrelated binaries, credentials, or system configuration, which is proportionate for a vetting tool.
Instruction Scope
Instructions explicitly require reading "ALL files in the skill" and running curl against GitHub APIs/raw.githubusercontent for GitHub-hosted skills. This is appropriate for a vetter, but it grants broad read access to the skill package and requires network access to GitHub. The SKILL.md also instructs checking for reads of sensitive paths (e.g., ~/.ssh, ~/.aws) which is sensible as a red flag. Ensure the agent's runtime scope is limited to the skill's files and public network endpoints when following these steps.
Install Mechanism
No install spec or code files are present (instruction-only). Nothing is written to disk by the skill itself — lowest-risk installation footprint.
Credentials
The skill declares no required environment variables, credentials, or config paths. The instructions do not instruct reading env vars or secret files (they explicitly list those as red flags). This is proportionate.
Persistence & Privilege
always is false and there is no installation or self-modifying behavior. The skill does not request persistent presence or elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-security-vetter - After installation, invoke the skill by name or use
/skill-security-vetter - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Skill Security Vetting?
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,... It is an AI Agent Skill for Claude Code / OpenClaw, with 250 downloads so far.
How do I install Skill Security Vetting?
Run "/install skill-security-vetter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Security Vetting free?
Yes, Skill Security Vetting is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Security Vetting support?
Skill Security Vetting is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Security Vetting?
It is built and maintained by hsyhph (@hsyhph); the current version is v1.0.0.
More Skills