Skill Vettr

The OpenClaw AgentSkills skill bundle `publish-skill-vettr` is classified as **benign**. The skill `skill-vettr` is designed as a static analysis security scanner. Its primary function is to detect various security risks, including code execution, shell injection, prompt injection, dangerous dependencies, and credential access patterns in *other* OpenClaw skills. The presence of code snippets that appear malicious (e.g., `eval()`, `exec()`, `process.env` access, prompt injection phrases, base64-encoded payloads) are consistently found within the scanner's detection logic (`src/analyzers/*.ts`) or in its test fixtures (`test/fixtures/malicious-skill/index.ts`), where they serve as examples of patterns the scanner is designed to identify. Key indicators supporting this classification: 1. **Purpose Alignment**: The skill's code directly implements the stated purpose of a security scanner, with analyzers specifically targeting known vulnerabilities and malicious patterns. 2. **Safe Execution Practices**: External binary execution (`git`, `curl`, `tar`, `clawhub`) is performed via `execSafe` (`src/utils/exec-safe.ts`), which uses `execFile` (avoiding shell interpretation), whitelists commands, and sanitizes arguments against shell metacharacters and null bytes. 3. **Input Sanitization**: Paths and URLs provided as arguments to the skill's commands are rigorously sanitized (`src/utils/sanitise.ts`) to prevent path traversal and other injection attacks against the scanner itself. 4. **Prompt Injection Detection**: The `PatternAnalyzer` (`src/analyzers/pattern-analyzer.ts`) explicitly looks for prompt injection patterns in *other* skills' code, and its tests confirm it correctly identifies these patterns within string literals while ignoring comments. The `SKILL.md` and `readme.md` files are purely informational and do not contain any prompt injection attempts against the agent. 5. **Transparency and Warnings**: The `skill.md` and `readme.md` documentation clearly outline the skill's capabilities, limitations, and potential risks (e.g., `npm install` lifecycle scripts, `allowCwd` configuration, vetting untrusted URLs in a container), indicating responsible disclosure rather than malicious intent.