← Back to Skills Marketplace

SkillGuard Security Scanner

Name: SkillGuard Security Scanner
Author: jonathanliu811026

by Jonathanliu811026 · GitHub ↗ · v0.1.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-guard-security

Description

Security auditing for OpenClaw agent skills. Scans skills for dangerous patterns, vulnerable dependencies, and suspicious behaviors before installation.

Usage Guidance

This skill is an instruction-only wrapper that tells you to run an external npm tool (npx skillguard-audit) rather than providing its own scanner. That means installing or invoking it will download and execute code from the npm registry — a supply-chain and execution risk. Before using it: (1) prefer a skill that includes its scanner code or a verified source URL; (2) ask the publisher for the npm package name, repository link, and a release checksum; (3) inspect the npm package source or run it in a sandboxed environment (isolated container) if you must use it; (4) do not run its 'serve' command on production hosts; and (5) be cautious about granting any credentials or opening network ports. If the author can provide a hosted repository (GitHub release) or include the scanner implementation in the skill bundle, that would reduce the concern.

Capability Analysis

Type: OpenClaw Skill Name: skill-guard-security Version: 0.1.0 The skill bundle contains no functional code, only documentation (SKILL.md) that instructs the agent to execute an external package via 'npx skillguard-audit'. This approach is suspicious as it encourages the agent to perform remote code execution (RCE) by fetching and running unverified third-party code from a registry, which is a high-risk supply chain behavior, especially for a tool claiming to provide security auditing.

Capability Assessment

ℹ Purpose & Capability

Name and description claim a security scanner and the runtime instructions describe appropriate scanning features. However, the package contains no scanner implementation and instead tells users/agents to run 'npx skillguard-audit', so the actual capability would come from an external npm package rather than the skill bundle itself — this is plausible but not documented in metadata and creates a provenance gap.

⚠ Instruction Scope

SKILL.md instructs running 'npx skillguard-audit' (CLI and server) and auditing local skill folders. Those commands will fetch and execute remote code at runtime and may access local filesystem paths (e.g., './my-skill') and network ports (serve --port 3402). The instructions also reference a file (CLAWHUB_INTEGRATION.md) that is not present in the manifest. The instructions do not list required credentials but would likely need network access and possibly ClawHub access in practice.

⚠ Install Mechanism

There is no install spec and no code in the bundle, but the instructions rely on npx which dynamically downloads and executes code from the npm registry. That runtime download is a high-risk install mechanism (supply-chain execution) that is not declared or constrained by the skill metadata.

✓ Credentials

The skill declares no required environment variables, credentials, or config paths. There is nothing requesting unrelated secrets in the provided metadata or SKILL.md. That said, the external tool it instructs you to run could require credentials — but this is not declared here.

✓ Persistence & Privilege

The skill does not request 'always: true' and has no install-time persistence. Autonomous invocation is allowed (platform default) but not amplified by additional privileges in the skill metadata.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-guard-security
After installation, invoke the skill by name or use /skill-guard-security
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial release of skillguard: security auditing for OpenClaw agent skills. - Scans skills for dangerous code patterns, filesystem risks, and network vulnerabilities before installation. - Supports both CLI and API server modes for auditing. - Provides clear verdicts: SAFE, CAUTION, or DANGEROUS, with detailed risk breakdowns. - Integrates with ClawHub for streamlined skill auditing. - Outputs machine-readable reports for programmatic review.

Metadata

Slug skill-guard-security

Version 0.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is SkillGuard Security Scanner?

Security auditing for OpenClaw agent skills. Scans skills for dangerous patterns, vulnerable dependencies, and suspicious behaviors before installation. It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.

How do I install SkillGuard Security Scanner?

Run "/install skill-guard-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is SkillGuard Security Scanner free?

Yes, SkillGuard Security Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does SkillGuard Security Scanner support?

SkillGuard Security Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created SkillGuard Security Scanner?

It is built and maintained by Jonathanliu811026 (@jonathanliu811026); the current version is v0.1.0.

More Skills