← Back to Skills Marketplace
xavi296

test-skill-vetter2

by xavi296 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
75
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install test-skill-vetter2
Description
Vets AI skills for security by checking source, code for red flags, permissions, and risks before installation to ensure safe usage.
README (SKILL.md)

Skill Vetter 🔒

Security-first vetting protocol for AI agent skills. Never install a skill without vetting it first.

When to Use

  • Before installing any skill from ClawdHub
  • Before running skills from GitHub repos
  • When evaluating skills shared by other agents
  • Anytime you're asked to install unknown code

Vetting Protocol

Step 1: Source Check

Questions to answer:
- [ ] Where did this skill come from?
- [ ] Is the author known/reputable?
- [ ] How many downloads/stars does it have?
- [ ] When was it last updated?
- [ ] Are there reviews from other agents?

Step 2: Code Review (MANDATORY)

Read ALL files in the skill. Check for these RED FLAGS:

🚨 REJECT IMMEDIATELY IF YOU SEE:
─────────────────────────────────────────
• curl/wget to unknown URLs
• Sends data to external servers
• Requests credentials/tokens/API keys
• Reads ~/.ssh, ~/.aws, ~/.config without clear reason
• Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
• Uses base64 decode on anything
• Uses eval() or exec() with external input
• Modifies system files outside workspace
• Installs packages without listing them
• Network calls to IPs instead of domains
• Obfuscated code (compressed, encoded, minified)
• Requests elevated/sudo permissions
• Accesses browser cookies/sessions
• Touches credential files
─────────────────────────────────────────

Step 3: Permission Scope

Evaluate:
- [ ] What files does it need to read?
- [ ] What files does it need to write?
- [ ] What commands does it run?
- [ ] Does it need network access? To where?
- [ ] Is the scope minimal for its stated purpose?

Step 4: Risk Classification

Risk Level Examples Action
🟢 LOW Notes, weather, formatting Basic review, install OK
🟡 MEDIUM File ops, browser, APIs Full code review required
🔴 HIGH Credentials, trading, system Human approval required
⛔ EXTREME Security configs, root access Do NOT install

Output Format

After vetting, produce this report:

SKILL VETTING REPORT
═══════════════════════════════════════
Skill: [name]
Source: [ClawdHub / GitHub / other]
Author: [username]
Version: [version]
───────────────────────────────────────
METRICS:
• Downloads/Stars: [count]
• Last Updated: [date]
• Files Reviewed: [count]
───────────────────────────────────────
RED FLAGS: [None / List them]

PERMISSIONS NEEDED:
• Files: [list or "None"]
• Network: [list or "None"]  
• Commands: [list or "None"]
───────────────────────────────────────
RISK LEVEL: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME]

VERDICT: [✅ SAFE TO INSTALL / ⚠️ INSTALL WITH CAUTION / ❌ DO NOT INSTALL]

NOTES: [Any observations]
═══════════════════════════════════════

Quick Vet Commands

For GitHub-hosted skills:

# Check repo stats
curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'

# List skill files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'

# Fetch and review SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"

Trust Hierarchy

  1. Official OpenClaw skills → Lower scrutiny (still review)
  2. High-star repos (1000+) → Moderate scrutiny
  3. Known authors → Moderate scrutiny
  4. New/unknown sources → Maximum scrutiny
  5. Skills requesting credentials → Human approval always

Remember

  • No skill is worth compromising security
  • When in doubt, don't install
  • Ask your human for high-risk decisions
  • Document what you vet for future reference

Paranoia is a feature. 🔒🦀

Usage Guidance
Install only after reviewing the actual SKILL.md, metadata.json, and artifact contents, since this scan could not verify them directly.
Capability Assessment
Purpose & Capability
Not assessable from artifacts because metadata.json and artifact files could not be read in this environment.
Instruction Scope
Not assessable from artifacts because the skill instructions could not be inspected.
Install Mechanism
Not assessable from artifacts because install metadata and package files could not be inspected.
Credentials
Not assessable from artifacts because runtime files and capability declarations could not be inspected.
Persistence & Privilege
Not assessable from artifacts because persistence, credential, and privilege behavior could not be inspected.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install test-skill-vetter2
  3. After installation, invoke the skill by name or use /test-skill-vetter2
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Version 1.0.0 of skill-vetter2 introduces a protocol for security-first skill vetting for AI agent skills. - Provides a step-by-step process for vetting skills from external sources (ClawdHub, GitHub, etc.) - Outlines red flags to immediately reject (e.g., sending data externally, requesting credentials, obfuscated code) - Defines a risk classification system (LOW to EXTREME) with recommended actions - Supplies a standard vetting report template for documenting reviews - Includes quick commands for gathering repo and skill stats - Establishes a trust hierarchy to guide scrutiny level based on source and author
Metadata
Slug test-skill-vetter2
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is test-skill-vetter2?

Vets AI skills for security by checking source, code for red flags, permissions, and risks before installation to ensure safe usage. It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.

How do I install test-skill-vetter2?

Run "/install test-skill-vetter2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is test-skill-vetter2 free?

Yes, test-skill-vetter2 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does test-skill-vetter2 support?

test-skill-vetter2 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created test-skill-vetter2?

It is built and maintained by xavi296 (@xavi296); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments