← 返回 Skills 市场
74
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install talonforge-skill-guard
功能描述
Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads...
安全使用建议
This script mostly behaves as a pre-install scanner and is coherent with its purpose, but before using it you should: (1) verify the package ownership and metadata — the included _meta.json and the top-level registry metadata disagree; (2) avoid running the recommended 'curl | sh' installer unless you trust that source — prefer installing uv/uvx and mcp-scan from vetted, pinned releases; (3) inspect staged files in /tmp/skill-guard-staging/ before you move them into your real skills folder; (4) be cautious about using or exposing the '--skip-scan' option or manually moving quarantined skills into your workspace; and (5) prefer to pin a known-safe mcp-scan release rather than running '@latest' to reduce supply-chain risk. If you need higher assurance, request checksums or a signed release for the scanner and confirm the owner's identity/version metadata.
功能分析
Type: OpenClaw Skill
Name: talonforge-skill-guard
Version: 1.0.0
The skill-guard bundle is a security utility designed to provide pre-installation scanning for other OpenClaw skills. The core logic in `scripts/safe-install.sh` implements a safe staging workflow that downloads skills to a temporary directory and analyzes them using the legitimate `mcp-scan` tool (via `uvx`) before moving them to the production workspace. No evidence of data exfiltration, malicious execution, or prompt injection was found; the behavior is entirely consistent with its stated purpose of enhancing agent security.
能力评估
Purpose & Capability
The script implements a pre-install scanner that stages a skill, runs mcp-scan, and installs only on success — this matches the declared purpose. However, the registry metadata in the submission claims no required binaries/env, while SKILL.md and the script clearly require 'clawhub' and 'uvx' (and optionally use CLAWHUB_WORKDIR). Additionally, top-level metadata (ownerId/slug/version) does not match the _meta.json contents. These inconsistencies between manifest and runtime expectations reduce trust.
Instruction Scope
The SKILL.md and safe-install.sh are narrowly scoped: they fetch a skill to /tmp, run a scanner against that staging folder, and move files to the skills directory only on success. That's appropriate for a pre-install scanner. Caveats: the script supports '--skip-scan' which can bypass the protection, it suggests moving staged files manually to install anyway (expected but dangerous if followed blindly), and it sources '$HOME/.local/bin/env' as a fallback for uvx which is an unusual path and broadens what the script touches.
Install Mechanism
The skill is instruction-only but recommends and relies on tools that pull and execute remote code: it suggests installing 'uv' via 'curl -LsSf https://astral.sh/uv/install.sh | sh' and runs 'uvx mcp-scan@latest', which will fetch code at runtime. Using a network installer (curl | sh) and executing latest-tag remote packages increases risk. These behaviors are coherent with the purpose (running a third-party scanner) but are a source of supply-chain risk and should be validated against trusted releases.
Credentials
The skill does not request credentials or sensitive environment variables. It reads CLAWHUB_WORKDIR (optional) and uses standard locations ($HOME, /tmp). It does not request unrelated secrets or broad system access. This is proportionate to its goal.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request to persistently modify other skills or global agent settings. The script writes only to a staging directory and (on successful install) moves the staged skill into the normal skills directory — expected behavior for an installer.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install talonforge-skill-guard - 安装完成后,直接呼叫该 Skill 的名称或使用
/talonforge-skill-guard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: pre-install security scanning for ClawHub skills, prompt injection detection, data exfiltration checks
元数据
常见问题
Skill Guard — Pre-Install Security Scanner 是什么?
Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 74 次。
如何安装 Skill Guard — Pre-Install Security Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install talonforge-skill-guard」即可一键安装,无需额外配置。
Skill Guard — Pre-Install Security Scanner 是免费的吗?
是的,Skill Guard — Pre-Install Security Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Guard — Pre-Install Security Scanner 支持哪些平台?
Skill Guard — Pre-Install Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Guard — Pre-Install Security Scanner?
由 zinou(@casperzinou)开发并维护,当前版本 v1.0.0。
推荐 Skills