← Back to Skills Marketplace
571
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install skillgate-gov
Description
Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore.
Usage Guidance
This skill appears to do what it says: it runs an npm-scoped scanner to inspect a directory and can quarantine skills by moving files in the directory you pass. Before running it, consider: (1) prefer the pinned version shown in SKILL.md and run the provided npm view / dist.integrity verification to confirm package provenance; (2) run scans read-only where possible and only use quarantine/restore when you trust the tool; (3) be aware npx will fetch and execute code from the npm registry — if you have strict supply-chain requirements run the package in a sandbox or inspect its source first (the SKILL.md points to the GitHub repo); (4) avoid running quarantine on system or shared directories you don’t control. Overall the skill is internally consistent, but treat remote-executed packages and file-moving operations with standard caution.
Capability Analysis
Type: OpenClaw Skill
Name: skillgate-gov
Version: 0.1.2
This skill bundle describes a 'SkillGate' governance tool designed to scan, assess, and quarantine/restore OpenClaw skills. The `SKILL.md` file clearly outlines its purpose, required binaries (`node`, `npm`), and the commands it executes via `npx`. While `npx` downloads and executes code, this is explicitly stated and aligned with the tool's function. The documentation also details its permissions, noting it's read-only by default but performs writes for quarantine/restore operations. There is no evidence of prompt injection, data exfiltration, obfuscation, or other malicious intent within the provided files; instead, it offers provenance verification steps. The described capabilities are consistent with a legitimate security governance tool.
Capability Assessment
Purpose & Capability
Name/description state supply-chain governance for OpenClaw skills and the SKILL.md instructs the agent to run an npm-scoped package (@skillgate/...) via npx. The declared required binaries (node, npm) match that need; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions focus on scanning a provided directory and explain quarantine/restore as operations on the target directory. They recommend using npx with a pinned version and show verification steps. Important operational note: npx will download and execute code from the npm registry (network fetch on first run) and quarantine operations can move/modify files inside the directory you pass — both are expected for this purpose but are material security actions the user should be aware of.
Install Mechanism
There is no install spec for the skill itself, but runtime instructions rely on npx to fetch and run @skillgate/[email protected] from npm. This is a standard mechanism for Node tools but implies executing remote package code (moderate risk); the SKILL.md provides sensible verification commands (npm view, repo URL) to mitigate that risk.
Credentials
The skill requests no environment variables, credentials, or config paths — consistent with a local governance scanner that only needs node/npm and operates on a user-supplied directory.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. The only elevated action described is quarantining (moving/marking) files inside a target directory, which is appropriate for the stated functionality and scoped to the user-specified target.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skillgate-gov - After installation, invoke the skill by name or use
/skillgate-gov - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
- Added a homepage link to the skill metadata, pointing to the GitHub repository.
- No other changes made to functionality or documentation.
v0.1.1
- Updated Quick Start instructions to recommend using npx with a pinned version instead of global npm install, enhancing supply-chain safety.
- Added steps for verifying package provenance and how to check metadata before running.
- Documented permissions, filesystem scope, and clarified that no secrets are required.
- Included local development instructions for using as a devDependency.
- Plugin command list, risk levels, and operating procedures remain unchanged.
v0.1.0
Initial release of skillgate-gov:
- Adds supply-chain governance tools for OpenClaw skills: scan, assess, quarantine, and restore.
- Provides commands to check risk levels, quarantine/restore skills, and review governance status.
- Documents risk categories and automatic actions (quarantine, disable, warn, log).
- Includes quickstart instructions for installation and usage with OpenClaw.
Metadata
Frequently Asked Questions
What is SkillGate Governance?
Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore. It is an AI Agent Skill for Claude Code / OpenClaw, with 571 downloads so far.
How do I install SkillGate Governance?
Run "/install skillgate-gov" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SkillGate Governance free?
Yes, SkillGate Governance is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SkillGate Governance support?
SkillGate Governance is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SkillGate Governance?
It is built and maintained by liyecom (@liyecom); the current version is v0.1.2.
More Skills