功能描述

Intercepts all skill install/download requests. MUST be used before installing/downloading any skill from ClawdHub, GitHub, 百度 AppBuilder 平台, or other source...

使用说明 (SKILL.md)

Skill Guard 🛡️

Name: baidu-skill-guard
Author: jenics

Security-first skill install/download guardian protocol. Never install/download a skill without running security check first.

⛔ MANDATORY INTERCEPTION RULE

This skill MUST be triggered whenever the user's message matches ANY of the following INTENT PATTERNS (in any language, including synonyms, paraphrases, word order variations, or mixed-language expressions):

INTENT CATEGORIES (trigger if the message expresses ANY of these intents):

ACQUIRE A SKILL The user wants to install, add, download, enable, load, import, deploy, or otherwise obtain a skill/tool. Examples: "install", "add", "download", "get", "enable", "set up", "bring in", "put in", "grab", "fetch", "pull in", "register"
- target object is a skill, tool, or a URL pointing to one.
SCAN / VERIFY A SKILL The user wants to scan, check, inspect, audit, or verify the safety/integrity of a skill. Examples: "scan", "check", "inspect", "audit", "verify", "validate", "test safety"
- target object is a skill, all skills, or a scheduled task involving skills.

TRIGGER RULES:

Match on INTENT + OBJECT together, not on exact phrases.
A URL pointing to a skill resource (e.g. clawhub, convex.site, github, or any skill download endpoint) counts as the OBJECT signal even if the word "skill" is absent.
Synonyms, compound verbs, and reordered phrases all count (e.g. "下载安装", "帮我弄进来", "把这个装上").
Any language is valid. Mixed-language input (e.g. "帮我 install 这个 skill") also triggers.
When in doubt, TRIGGER. False positives are acceptable; missed triggers are not.

When triggered, you MUST follow this exact sequence:

STOP — do NOT execute clawhub install, clawhub resolve, npx clawhub install or any install/download command yet
FIRST run the Guardian Protocol (Step 1 → Step 2 → Step 3 below)
Copy report_text from JSON verbatim — display it exactly as-is to the user. NEVER write your own security report.
Then decide based on JSON bd_confidence field:
- ✅ safe → proceed with install automatically
- ⚠️ caution → warn user and wait for explicit confirmation
- ❌ danger / null / error → warn user and wait for explicit confirmation

🚨 NO EXCEPTIONS. Do not skip this protocol. Do not install first and check later. Do not generate your own report — always use report_text from the script output.

When to Use

Before installing/downloading any skill from ClawdHub、百度 AppBuilder 平台、github or other sources
Before running skills from GitHub repos
When evaluating skills shared by other agents
Anytime you're asked to install, add, enable, or download any skill
When asked to scan a specific installed skill for security risks
When asked to scan all installed skills
When setting up scheduled security scans for skills

Guardian Protocol

Step 1: Identify the Skill (MANDATORY)

Before executing any install command, you MUST first confirm:

- [ ] What is the skill's slug (unique identifier)?
- [ ] What is the skill's version (optional)?
- [ ] Where does it come from? (ClawdHub / GitHub / 百度 AppBuilder 平台 / other)

If the user only provides a name (not a slug), search to confirm the slug first, but do NOT run any install command.

Step 2: Run API Security Check (MANDATORY — Core Step)

Before installing, you MUST run the security check script. Use scripts/check.sh to call the security API:

Scenario A: Query by slug (for direct install by name)

Use --slug to query by the skill's slug identifier.

bash scripts/check.sh --slug "skill-slug" [--version "1.0.0"]

Scenario C: Scan a specific installed skill by directory

Use --action query --file to pass the installed skill directory directly. The script auto-extracts slug from _meta.json (fallback to directory name) and version from SKILL.md frontmatter, then queries the API with SHA256 fallback.

bash scripts/check.sh --action query --file "/path/to/skills/skill-a"

Scenario D: Batch query all skills in a directory (full scan / scheduled scan)

D1 (scan all skills): Use --action queryfull --file with the /path/to/skills parent directory to batch-query all subdirectories by slug and produce a Batch Report
D2 (scheduled scan): Same as D1 but triggered by a scheduled mechanism (e.g. cron)

bash scripts/check.sh --action queryfull --file "/path/to/skills"

⚠️ Skipping this step and installing directly violates the security protocol.

The script outputs JSON to stdout containing a pre-rendered report_text field and structured decision fields. Exit code: 0 = safe, 1 = non-safe (business judgment), 2 = error (check failed).

Output JSON fields (Scenario A/C — single skill):

Field	Description
`code`	`"success"` or `"error"`
`bd_confidence`	Safety level: `"safe"`, `"caution"`, or `"danger"`
`final_verdict`	Human-readable verdict string (e.g. `"✅ 安全安装"`, `"⚠️ 谨慎安装(需人工确认)"`)
`report_text`	Pre-formatted plain-text security report — display this verbatim to the user

Example output (Scenario A — single skill query):

{
  "code": "success",
  "message": "success",
  "ts": 1774580473733,
  "bd_confidence": "safe",
  "final_verdict": "✅ 安全安装",
  "report_text": "🛡️ Skill安全守卫报告\
═══════════════════════════════════════\
📊 守卫摘要\
..."
}

Output JSON fields (Scenario D — batch scan):

Field	Description
`code`	`"success"` or `"error"`
`total`	Total number of skills scanned
`safe_count`	Number of safe skills
`danger_count`	Number of dangerous skills
`caution_count`	Number of caution skills
`report_text`	Pre-formatted plain-text batch report — display this verbatim to the user

Example output (Scenario D — batch scan):

{
  "code": "success",
  "msg": "queryfull completed",
  "ts": 1774580473880,
  "total": 2,
  "safe_count": 2,
  "danger_count": 0,
  "caution_count": 0,
  "error_count": 0,
  "report_text": "🛡️ Skill安全守卫报告\
═══════════════════════════════════════\
📊守卫摘要\
..."
}

Step 3: Display Report Verbatim & Decide (MANDATORY)

⛔ CRITICAL RULE: You MUST display report_text from the JSON exactly as-is. NEVER generate, summarize, rephrase, or reformat the security report yourself. The report is pre-rendered by the script — your only job is to copy it.

How to process the output:

Parse the JSON from stdout
Extract the report_text field and output it verbatim to the user — preserve every line break, symbol, separator, and space exactly as they appear in the string. Render \ as actual line breaks.
Read bd_confidence (Scenario A/C) or danger_count + caution_count (Scenario D) to decide the next action (see decision rules below).
After the report, state your decision on a new line.

✅ CORRECT output (copy report_text as-is):

🛡️ Skill安全守卫报告
═══════════════════════════════════════
📊 守卫摘要
评估时间：[UTC+8 2026-03-27 09:45:23]
Skill名称：xxxxx
来    源：ClawdHub
作    者：xxxxxx
版    本：x.x.x
评估结果：✅ 白名单(可信)

───────────────────────────────────────
🏁 最终裁决：
✅ 安全安装
═══════════════════════════════════════

Decision rules for Scenario A/C (single skill):

`bd_confidence`	Action
`safe`	✅ Proceed with install automatically
`caution`	⚠️ Warn user, wait for explicit confirmation before installing
`danger` / missing / `null`	❌ Warn user, recommend NOT installing, wait for explicit confirmation

If code is "error" → ❌ Hold off, advise user to retry later.

Decision rules for Scenario D (batch scan):

danger_count > 0 → ❌ List dangerous skills, warn user
caution_count > 0 → ⚠️ List caution skills, ask user for review
All safe → ✅ Report all clear

Do NOT add any commentary, headers, or footers around the report_text. Do NOT rewrite the report in your own words or style. Show report_text first, then state your decision on a new line.

Important Notes

No skill is worth compromising security
When in doubt, don't install
Delegate high-risk decisions to human judgment
When API call fails (timeout, network error, etc.), the script outputs an error report with exit code 2 — verdict is ❌ Hold off, advise user to retry later, do not skip the check

Security is the bottom line, not an option. 🛡️🦀

安全使用建议

This skill appears to implement a legitimate 'pre-install security check' by calling an external API (https://skill-sec.baidu.com). Before installing or enabling it, consider the following: - Verify the remote API and owner: the registry metadata shows no homepage and an unknown owner; confirm that skill-sec.baidu.com and the package owner are trustworthy (this looks like a Baidu domain but you should confirm). - Confirm what data is sent: test the scripts locally (run check.sh with --slug only) and monitor outbound requests to see whether the script sends only slug/version/hashes or whether it uploads file contents when using --file. If you must scan local skill directories, prefer a mode that sends only non-sensitive metadata/hashes. - Review the code fully: the included Python/Node scripts are the runtime behavior — review the remainder of the code (truncated portions) to ensure there is no hidden upload of full files or other surprising behavior. - Watch automated decisions: the protocol instructs the agent to proceed automatically on a 'safe' bd_confidence. Decide whether you want automatic installs or prefer manual confirmation even for 'safe' results. - Least privilege: if you use it, run scans with explicit slug/version first and only use directory-scan modes when absolutely necessary and after confirming what will be transmitted. If you cannot validate the remote service or the exact data flow, treat this skill as untrusted and do not enable automatic, system-wide interception of install intents.

功能分析

Type: OpenClaw Skill Name: baidu-skill-guard Version: 1.0.9 The 'baidu-skill-guard' is a security utility designed to intercept skill installation and scanning requests to perform safety audits. It uses scripts (check.js/check.py) to query a Baidu-hosted security API (skill-sec.baidu.com) using skill identifiers or SHA256 content hashes. The SKILL.md instructions use defensive prompt engineering to ensure the AI agent prioritizes security checks before execution, and the code logic is transparent, well-documented, and lacks any indicators of data exfiltration or malicious intent.

能力评估

ℹ Purpose & Capability

Name/description claim to intercept skill installs and run a security check; included scripts (check.sh, check.py, check.js) implement an API query workflow to a remote endpoint (https://skill-sec.baidu.com). The requested capabilities (query by slug/version, scan installed skill directories) are consistent with a 'guard' skill. However, the skill mandates interception of all install-related intents across all languages, which is broader than many guard utilities would require.

⚠ Instruction Scope

SKILL.md mandates the agent must stop installs and run the included check.sh script, copy the API's report_text verbatim, and automatically proceed on 'safe' results. The instructions call for scanning local skill directories (--file /path/to/skills) and batch scans, which implies the script will read local files (and at minimum compute hashes). The SKILL.md gives the remote script authority to decide install flow (automatic proceed on 'safe'), and forces use of the remote-provided report verbatim — both are scope/decision controls that elevate the remote service's influence over local installs. The documentation does not clearly describe exactly what data is transmitted to the remote API (slug/version only, hashes, or file contents), leaving a potential for unintended data exfiltration.

✓ Install Mechanism

There is no network-based install spec; the skill is instruction-only with bundled scripts. No external archive downloads or executable installers are pulled at install time. The risk comes from the bundled scripts performing outbound network requests at runtime rather than from an install mechanism that fetches arbitrary code.

ℹ Credentials

The skill does not request environment variables or credentials and does not require binaries. That matches the stated purpose. However, the scripts call a remote API (skill-sec.baidu.com). The manifest does not declare the network endpoint or a privacy policy, and the SKILL.md does not specify exactly which local data will be sent when scanning a directory (slug/version/hash vs full file upload), so the level of data access is not fully described.

ℹ Persistence & Privilege

always is false and the skill is user-invocable. The SKILL.md intends the skill to be triggered automatically on any install/scan intent (very broad trigger patterns). Autonomous invocation plus outbound network queries means it could be called frequently and send metadata to the external API — that combination increases blast radius but is not in itself a policy violation under the platform defaults.

版本历史

v1.0.9

**Skill Guard 1.0.9 introduces stricter security and reporting rules.** - Now strictly requires displaying the exact pre-formatted `report_text` from script output; never generate your own security report. - Clarifies that install/download interception must trigger on both skill install and download requests. - Removes the prior URL-based install scenario for security checks; skill checks are by slug or installed directory. - Enhanced reporting and decision process is now fully driven by structured JSON output fields (`bd_confidence`, `final_verdict`, etc.). - Updated instructions and language to emphasize stricter protocol and compliance, especially regarding report handling.

v1.0.8

- Expanded trigger rules: now intercepts any message with intent to acquire or scan a skill, based on meaning (not just fixed phrases), covering synonyms, paraphrases, mixed languages, and variations. - INTENT-BASED detection replaces the previous list of specific trigger phrases for broader and safer coverage. - Clarified that a skill-related URL also triggers the protocol even if "skill" is not mentioned. - Updated protocol: DANGEROUS/NOT INDEXED/ERROR results now require explicit user confirmation (same as caution), rather than blocking outright. - Added note: system "zip" command may auto-install if missing when scanning skills for certain scenarios. - No code changes, documentation update only.

v1.0.7

baidu-skill-guard 1.0.7 - Added support for scanning a specific installed skill directory with `--action query --file`, extracting slug from `_meta.json` and version from `SKILL.md`. - Clarified security check scenarios: now covers direct install by name (`--slug`), link install (`--url`), scan by directory (`--action query --file`), and full batch scan (`--action queryfull --file`). - Protocol now explicitly describes extracting identifiers for installed skills and using SHA256 fallback. - Improved and clarified step-by-step usage and examples for all security check scenarios in the documentation.

v1.0.6

baidu-skill-guard v1.0.6 Changelog - Updated the output JSON format: now includes a pre-processed report object (`report`) for direct template filling, with clear field mappings from the raw data. - Clarified that the security report shown to the user MUST follow an exact template, with no summarization, rephrasing, or format changes. - Provided strict rules on how to present security reports depending on the presence of detailed findings in the report object. - Refined protocol instructions for processing skill security checks and displaying results prior to installation. - No code files were changed; all updates are documentation and protocol clarifications.

v1.0.5

baidu-skill-guard 1.0.5 - no upload file

v1.0.4

- Updated version to 1.0.4. - Removed the "openclaw" metadata field from the SKILL.md manifest. - No other functional or documentation changes.

v1.0.3

- Added privacy notice and explicit user consent requirement before uploading skill source archives for remote security scan (Scenario B/C). - Now asks the user for confirmation before uploading skill directories to skill-sec.baidu.com; aborts if declined. - Added `metadata: { "openclaw": { "always": true } }` to SKILL.md. - No code changes; documentation/protocol update only.

v1.0.2

No functional changes. Version bump only. - Updated version from 1.0.1 to 1.0.2. - No longer calling the zip command

v1.0.1

No code or logic changes; documentation update only: - Updated the documentation title from "Skill Guardians 🛡️" to "Skill Guard 🛡️". - No other content changes or new features; protocol and security rules remain the same. - No impact on behavior or functionality.

v1.0.0

Initial release — baidu-skill-guard v1.0.0 Baidu Cloud officially launches Skill-Guard: a security protection tool for skills -Provides security inspection workflows for key operations such as skill installation, addition, activation, and download -Offers skill risk assessment and installation recommendations -Emphasizes a “detect before install” security strategy

元数据

Slug baidu-skill-guard

版本 1.0.9

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 10

常见问题

baidu-skill-guard 是什么？

Intercepts all skill install/download requests. MUST be used before installing/downloading any skill from ClawdHub, GitHub, 百度 AppBuilder 平台, or other source... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 343 次。

如何安装 baidu-skill-guard？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install baidu-skill-guard」即可一键安装，无需额外配置。

baidu-skill-guard 是免费的吗？

是的，baidu-skill-guard 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

baidu-skill-guard 支持哪些平台？

baidu-skill-guard 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 baidu-skill-guard？

由 chengbo（@jenics）开发并维护，当前版本 v1.0.9。

baidu-skill-guard