Skill Vetter - Pre-Install Security Review
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only security checklist; its notable behavior is asking the agent to fetch and read candidate skills for review, which is expected but should be supervised.
This skill appears safe to install as an instruction-only vetting checklist. When using it, supervise any curl or clawhub commands and ensure the agent treats the candidate skill’s files as untrusted content to review, not instructions to follow.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious skill being reviewed could contain prompt-like text that tries to distract or redirect the agent during the review.
The vetting workflow intentionally exposes the agent to untrusted skill files. That is purpose-aligned, but the reviewed content should not be followed as instructions.
Read **ALL** files in the skill. Check for these **RED FLAGS**:
When using this skill, tell the agent to treat candidate skill contents as evidence only and not to execute or obey instructions found inside them.
The agent may download or inspect untrusted skill content during a review.
The skill documents network and local package-retrieval commands for vetting. These are relevant to the purpose and shown as user-directed examples, but they still fetch untrusted third-party content.
curl -s "https://api.github.com/repos/OWNER/REPO" ... clawhub install skill-name --dir /tmp/skill-vet
Review these commands before running them, keep candidate skills isolated in a temporary directory, and prefer non-executing download or dry-run options when available.