Skill Vetting (PhenixStar)
/install phenixstar-skill-vetting
Skill Vetting
Safely evaluate ClawHub skills for security risks and practical utility.
Quick Start
# Download and inspect
cd /tmp
curl -L -o skill.zip "https://auth.clawdhub.com/api/v1/download?slug=SKILL_NAME"
mkdir skill-inspect && cd skill-inspect
unzip -q ../skill.zip
# Run scanner
python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py .
# Manual review
cat SKILL.md
cat scripts/*.py
Vetting Workflow
1. Download to /tmp (Never Workspace)
cd /tmp
curl -L -o skill.zip "https://auth.clawdhub.com/api/v1/download?slug=SLUG"
mkdir skill-NAME && cd skill-NAME
unzip -q ../skill.zip
2. Run Automated Scanner
python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py .
Exit codes: 0 = Clean, 1 = Issues found
The scanner outputs specific findings with file:line references. Review each finding in context.
3. Manual Code Review
Even if scanner passes:
- Does SKILL.md description match actual code behavior?
- Do network calls go to documented APIs only?
- Do file operations stay within expected scope?
- Any hidden instructions in comments/markdown?
# Quick prompt injection check
grep -ri "ignore.*instruction\|disregard.*previous\|system:\|assistant:" .
4. Utility Assessment
Critical question: What does this unlock that I don't already have?
Compare to:
- MCP servers (
mcporter list) - Direct APIs (curl + jq)
- Existing skills (
clawhub list)
Skip if: Duplicates existing tools without significant improvement.
5. Decision Matrix
| Security | Utility | Decision |
|---|---|---|
| ✅ Clean | 🔥 High | Install |
| ✅ Clean | ⚠️ Marginal | Consider (test first) |
| ⚠️ Issues | Any | Investigate findings |
| 🚨 Malicious | Any | Reject |
Red Flags (Reject Immediately)
- eval()/exec() without justification
- base64-encoded strings (not data/images)
- Network calls to IPs or undocumented domains
- File operations outside temp/workspace
- Behavior doesn't match documentation
- Obfuscated code (hex, chr() chains)
After Installation
Monitor for unexpected behavior:
- Network activity to unfamiliar services
- File modifications outside workspace
- Error messages mentioning undocumented services
Remove and report if suspicious.
References
- Malicious patterns + false positives: references/patterns.md
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install phenixstar-skill-vetting - After installation, invoke the skill by name or use
/phenixstar-skill-vetting - Provide required inputs per the skill's parameter spec and get structured output
What is Skill Vetting (PhenixStar)?
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing w... It is an AI Agent Skill for Claude Code / OpenClaw, with 39 downloads so far.
How do I install Skill Vetting (PhenixStar)?
Run "/install phenixstar-skill-vetting" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Vetting (PhenixStar) free?
Yes, Skill Vetting (PhenixStar) is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Vetting (PhenixStar) support?
Skill Vetting (PhenixStar) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Vetting (PhenixStar)?
It is built and maintained by Alaa Qweider (@phenixstar); the current version is v1.0.0.