← Back to Skills Marketplace
175
Downloads
2
Stars
0
Active Installs
14
Versions
Install in OpenClaw
/install tommo-skill-guard
Description
Security scanner for OpenClaw agent skills. Pre-install check via ClawHub page, local pattern scanning via read tool (zero exec), integrity verification. Use...
Usage Guidance
This appears coherent and read-only: it will read files under ./skills/ and check the ClawHub skill page before install. Before using it, confirm (1) your agent environment has network/browser access if you want the ClawHub pre-install check to run, (2) you are OK with the scanner reading all files in a skill (it may surface any hardcoded secrets present), and (3) where snapshots/baselines will be stored and whether those stored baselines may contain sensitive info. Remember the tool reports raw pattern matches and can produce false positives; do not rely solely on its score — review findings manually and verify ClawHub's trustworthiness before acting on a remote 'Security Scan' result.
Capability Assessment
Purpose & Capability
Name/description match the instructions: it scans skill files under ./skills, performs a ClawHub page check, and optionally saves baselines. No unrelated credentials, binaries, or installs are requested. Note: the pre-install step references using a browser or the 'clawhub' CLI which are not declared as required; these are optional behaviours but may need network/browser support to be useful.
Instruction Scope
Instructions constrain the agent to use the built-in read tool (read-only) and only scan files in ./skills/, and to never auto-baseline. The SKILL.md also tells the agent to navigate to a ClawHub page (external web fetch) and to 'snapshot' it — snapshot storage is not specified. These external web checks are expected for a pre-install check but are outside the local filesystem scope.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install model. All scanning is done via local reads; nothing is downloaded or executed.
Credentials
No required environment variables, credentials, or config paths are declared or referenced. SKILL.md does not instruct reading unrelated env vars or secrets; scanning may reveal secrets present in skill files (expected behavior).
Persistence & Privilege
always:false and normal model-invocation. The only write behavior is user-initiated baselines saved under memory/skill-guard/, which the SKILL.md documents. The skill does not request system-wide config changes or other skills' settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tommo-skill-guard - After installation, invoke the skill by name or use
/tommo-skill-guard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v5.0.0
Removed ALL exec usage. Pattern scanning and integrity checks via read tool only. No Node, no shell, no injection risk. Zero exec guarantee.
v4.0.0
Major security overhaul: pattern scanning via read tool (no exec injection risk), manual baselines only (no auto-baseline), validated skill names, metadata with empty capabilities/configPaths.
v3.0.1
Removed old bash script and self-promo reference file. Clean SKILL.md-only package.
v3.0.0
No bash dependency. Cross-platform via PowerShell exec. Removed self-promotion. Simplified pre-install check and pattern scanning.
v2.3.0
Security audit fixes: declared required binaries (bash, curl, sha256sum, npm) in metadata, documented VirusTotal API key requirement prominently, addressed all undeclared dependency findings from ClawHub scan
v2.2.0
Install command now inline for visibility
v2.1.0
Added standalone install command
v2.0.0
Major update: ClawHub Security Gate with pre-install flag checking via browser automation, alternative skill recommendation engine with TommoT2 capability map, published-skill self-monitoring via cron, four security modes (gate/alternatives/monitoring/local scan)
v1.5.0
Security: removed eval() pattern mention.
v1.4.0
Security: added homepage/provenance.
v1.3.0
Security: replaced npx with clawhub install.
v1.2.0
v1.1 features: self-exclusion (references/ excluded from scan), improved YAML frontmatter parsing, reduced self-scan false positives (835→335pts), added cross-promotion section
v1.1.0
Optimized description with SEO keywords, added cross-promotion with skill-analytics, expanded trigger phrases
v1.0.0
Initial release: static pattern scanning (6 categories), risk scoring, permission footprint, hash baselines, drift detection, VirusTotal integration, domain extraction, JSON output
Metadata
Frequently Asked Questions
What is Skill Guard?
Security scanner for OpenClaw agent skills. Pre-install check via ClawHub page, local pattern scanning via read tool (zero exec), integrity verification. Use... It is an AI Agent Skill for Claude Code / OpenClaw, with 175 downloads so far.
How do I install Skill Guard?
Run "/install tommo-skill-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Guard free?
Yes, Skill Guard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Guard support?
Skill Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Guard?
It is built and maintained by TommoT2 (@tommot2); the current version is v5.0.0.
More Skills