← Back to Skills Marketplace
evezart

Evez Skill Vetter

by Evez666 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
81
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install evez-skill-vetter
Description
Security review for OpenClaw skills before installation. Use when evaluating third-party skills for safety, checking permission scope, detecting suspicious p...
README (SKILL.md)

Skill Vetter

Review third-party skills before installing them. Catch security risks early.

Quick Start

python3 scripts/vet.py --skill /path/to/skill
python3 scripts/vet.py --slug some-skill  # vet a ClawHub skill

What It Checks

  1. Permission scope — Does the skill request exec, network, or file access?
  2. Suspicious patterns — eval(), exec(), subprocess, fetch to unknown hosts, encoded strings
  3. Data exfiltration — Sending data to external endpoints, logging secrets
  4. Dependency risks — Known vulnerable packages, excessive dependencies
  5. Code quality — Minified/obfuscated code, missing SKILL.md, oversized files
  6. Secret exposure — Hardcoded API keys, tokens, passwords in source

Risk Score

Each check produces a risk score 0-100:

  • 0-20: ✅ Safe — install freely
  • 21-50: ⚠️ Caution — review findings before installing
  • 51-75: 🚨 Risky — significant security concerns
  • 76-100: ❌ Dangerous — do not install

Output

SKILL: some-skill
RISK: 35/100 (Caution)
FINDINGS:
  ⚠️ Uses subprocess.call() in scripts/run.sh:3
  ⚠️ Fetches from https://unknown-api.com in scripts/pull.py:12
  ✅ No hardcoded secrets found
  ✅ SKILL.md present and valid
Usage Guidance
This skill is reasonable to use as a local, user-invoked scanner, but keep its scope narrow and do not rely on its score as a complete security decision. Be aware that the documented --slug workflow appears unimplemented and that the script may need the click Python package to run.
Capability Analysis
Type: OpenClaw Skill Name: evez-skill-vetter Version: 1.0.0 The skill is a security auditing tool designed to perform static analysis on other OpenClaw skills. The primary script, scripts/vet.py, uses regex patterns to detect dangerous functions (e.g., eval, subprocess), hardcoded secrets (API keys, AWS tokens), and obfuscation techniques without executing the target code. The SKILL.md file provides clear documentation and lacks any prompt-injection attempts or deceptive instructions, and the code contains no evidence of data exfiltration or malicious intent.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The stated purpose and included code are coherent: it locally scans a user-selected skill directory for risky text patterns. However, the documentation describes broader vetting such as dependency risk checks and a ClawHub slug workflow that the provided script only partially implements.
Instruction Scope
The instructions are user-invoked CLI examples, not automatic execution. The --skill path is user-controlled and scanned recursively, so users should keep it scoped to the skill they intend to review.
Install Mechanism
There is no install spec or remote installer, which is low risk. The script imports the external Python package click, but no dependency declaration is provided, so running it may require a separately installed dependency.
Credentials
Recursive local file reading is proportionate for a static skill vetter and the artifacts show no network transmission, credential use, or persistence. It can still inspect many local files if pointed at a broad directory.
Persistence & Privilege
No background service, persistence mechanism, account privilege use, credential loading, or stored memory behavior is shown in the artifacts.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install evez-skill-vetter
  3. After installation, invoke the skill by name or use /evez-skill-vetter
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of evez-skill-vetter — security auditing tool for OpenClaw skills. - Performs static analysis to identify suspicious code patterns and permission requests. - Checks for data exfiltration risks, secret exposure, and dependency vulnerabilities. - Audits skill metadata, code quality, and permission scope before installation. - Assigns a risk score (0–100) with clear safety recommendations. - Provides detailed, actionable findings for each analyzed skill.
Metadata
Slug evez-skill-vetter
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Evez Skill Vetter?

Security review for OpenClaw skills before installation. Use when evaluating third-party skills for safety, checking permission scope, detecting suspicious p... It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.

How do I install Evez Skill Vetter?

Run "/install evez-skill-vetter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Evez Skill Vetter free?

Yes, Evez Skill Vetter is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Evez Skill Vetter support?

Evez Skill Vetter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Evez Skill Vetter?

It is built and maintained by Evez666 (@evezart); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments