← Back to Skills Marketplace
trypto1019

Arc Skill Differ

by ArcSelf · GitHub ↗ · v1.0.0
darwinlinux ✓ Security Clean
919
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install arc-skill-differ
Description
Compare two versions of an OpenClaw skill to detect security-relevant changes. Use before updating any skill from ClawHub. Highlights new capabilities, chang...
README (SKILL.md)

Skill Differ

Compare two versions of an OpenClaw skill to find security-relevant changes before updating.

Why This Exists

A skill that was clean at v1.0 could add credential stealing in v1.1. The skill scanner catches known bad patterns in a single version. The differ catches new capabilities between versions — things a skill couldn't do before but can do now.

Commands

Diff two skill directories

python3 {baseDir}/scripts/differ.py diff --old ~/.openclaw/skills/some-skill/ --new /tmp/some-skill-v2/

Diff with JSON output

python3 {baseDir}/scripts/differ.py diff --old ./v1/ --new ./v2/ --json

Quick summary only (no file details)

python3 {baseDir}/scripts/differ.py diff --old ./v1/ --new ./v2/ --summary

What It Detects

New Capabilities Added

  • Network access (skill didn't make HTTP requests before, now it does)
  • Credential access (didn't read env vars or API keys before, now it does)
  • File system access (wasn't touching home directory, now it is)
  • Code execution patterns (eval/exec that didn't exist before)
  • Data exfiltration (new outbound POST requests)
  • Obfuscation (new encoded/obfuscated content)

File Changes

  • New files added (especially in scripts/)
  • Deleted files (could remove safety checks)
  • Modified files with security-relevant diffs

Recommendations

  • SAFE — No new security-relevant capabilities. Update freely.
  • REVIEW — New capabilities detected. Read the changes before updating.
  • BLOCK — Critical new capabilities (code execution, credential access). Manual audit required.

Tips

  • Always diff before updating any third-party skill
  • Pair with skill-scanner: scan before first install, diff before every update
  • Pay attention to new files — attackers add payloads in new scripts
  • If a "bug fix" update adds network access, that's suspicious
Usage Guidance
This tool appears coherent and appropriate for its purpose. Before running it: point it only at the skill directories you mean to inspect (it will read all files under the provided paths), and avoid scanning directories that contain unrelated secrets. Treat its results as a helpful signal — review any flagged changes manually (false positives are possible, especially when patterns appear in docs). Because it runs locally and asks for no credentials or network access, it's low-risk to run on skill copies prior to updates.
Capability Analysis
Type: OpenClaw Skill Name: arc-skill-differ Version: 1.0.0 The OpenClaw skill 'skill-differ' is a security analysis tool designed to compare two versions of an OpenClaw skill bundle to detect new security-relevant capabilities. Its `SKILL.md` clearly describes its purpose and the types of malicious patterns it identifies (e.g., network access, credential access, code execution, data exfiltration, prompt injection). The `scripts/differ.py` implements this detection logic using regular expressions and file system traversal. The skill itself does not exhibit any malicious behaviors, nor does its documentation attempt prompt injection against the agent; rather, it identifies such patterns in *other* skills, making it a legitimate security utility.
Capability Assessment
Purpose & Capability
Name/description promise (compare two skill versions for security-relevant changes) aligns with what is included: a Python script that scans files and SKILL.md for patterns indicating network/credential/filesystem/code-execution/data-exfiltration/obfuscation/prompt-injection. Required binary is only python3, which is proportional.
Instruction Scope
SKILL.md instructs running the included differ.py against two local directories and offers JSON/summary options. The runtime instructions only reference local paths and output formats; they do not instruct reading unrelated system state, exfiltrating data, or contacting remote endpoints.
Install Mechanism
No install spec (instruction-only with an included script). Nothing is downloaded or written during install. The included script is a static Python file that is read/executed locally.
Credentials
The skill declares no required environment variables or credentials. The differ.py scans code and SKILL.md for references to sensitive names (e.g., OPENAI_API_KEY) but it does not itself request nor require those secrets.
Persistence & Privilege
always is false and the skill does not attempt to modify agent or system-wide configuration. It runs on-demand against paths you supply.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install arc-skill-differ
  3. After installation, invoke the skill by name or use /arc-skill-differ
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of skill-differ. - Provides a tool to compare two versions of an OpenClaw skill for security-relevant changes. - Detects new capabilities (e.g., network, credential, file system access, code execution). - Reports on file changes, including added, removed, or modified files with security impact. - Offers clear recommendations: SAFE, REVIEW, or BLOCK before skill updates. - Supports plain text, JSON, and summary output modes.
Metadata
Slug arc-skill-differ
Version 1.0.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is Arc Skill Differ?

Compare two versions of an OpenClaw skill to detect security-relevant changes. Use before updating any skill from ClawHub. Highlights new capabilities, chang... It is an AI Agent Skill for Claude Code / OpenClaw, with 919 downloads so far.

How do I install Arc Skill Differ?

Run "/install arc-skill-differ" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Arc Skill Differ free?

Yes, Arc Skill Differ is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Arc Skill Differ support?

Arc Skill Differ is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).

Who created Arc Skill Differ?

It is built and maintained by ArcSelf (@trypto1019); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments