Skill Vetter Plus

Security

Security scanner for AI agent skills. 9 built-in detection signatures. Identifies secrets, unsafe execution patterns, and prompt injection. Sub-50ms results.

Install

openclaw skills install skill-vetter-plus

Skill Vetter Plus

What It Does

Scans AI agent skills for security issues:

9 built-in detection signatures (secrets, execution, prompt injection)
Sub-50ms scan time
Run before installing any unknown skill

How to Use

# Scan any skill directory
python3 scripts/vetter.py /path/to/installed/skill

# JSON output for piping
python3 scripts/vetter.py /path/to/skill --json

Signatures

ID	Severity	What It Finds
hardcoded-api-key	high	`api_key`, `api-key`
hardcoded-secret	high	`secret_key`, `secret-token`, `auth_token`
hardcoded-password	high	`password`
unsafe-eval	critical	`eval(`
unsafe-exec	critical	`exec(`
unsafe-os-system	critical	`os.system(`
subprocess-shell-true	high	`shell=True`
raw-network	medium	`urllib.request`, `requests.post`/`get`
prompt-injection	critical	`ignore previous instructions`, `ignore the above`

What It Does NOT Do

No AST analysis (text matching only)
Cannot detect control-flow obfuscation
Cannot analyze compiled binaries
Not a replacement for manual code review

Results

Scanned 12 files in 23ms
Found 1 issue(s):
  [CRITICAL] unsafe-eval at /skill/scripts/mail.py:45
    → eval() can execute arbitrary code (matched: 'eval(')

Pro Upgrade

Feature	Pro ($49)
Real-time scanning	✅
Weekly signature updates	✅
Team sharing	✅
Custom signatures	✅
Priority support	✅

Limitations

Text-based pattern matching
Cannot detect all malware — only patterns in the signature database

Attribution

Built by: CertainLogic
Concept: Skill security pre-checking (industry standard practice)

Skill Vetter Plus

Install

Skill Vetter Plus

What It Does

How to Use

Signatures

What It Does NOT Do

Results

Pro Upgrade

Limitations

Attribution

Links

Related skills