ClawHub

Skill Audit Framework

v1.2.0

Structured security and quality audit framework for AI agent skills. Teaches you what to check before installing any skill.

0· 102·0 current·0 all-time
byLeoYann@enawareness
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description claim a review methodology and the SKILL.md contains a detailed audit checklist and report format. There are no declared env vars, binaries, or installs that would be unrelated to a review framework.
Instruction Scope
The runtime instructions tell the agent to inspect skill files, provenance, permissions, and dependencies and to produce a structured report. That matches the stated purpose. The SKILL.md explicitly says the agent cannot execute audited code, and there are no instructions that tell the agent to run arbitrary installers, exfiltrate data, or access unrelated system paths.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to drop on disk. That minimal footprint is appropriate for a review framework.
Credentials
The skill declares no required environment variables, credentials, or config paths. The checklist asks auditors to verify other skills' requires.env entries, but this audit skill itself does not request sensitive values — which is proportionate.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not include install scripts, and does not instruct modifying system or other skills' configurations. It only defines how the agent should analyze other skills.
Assessment
This skill is a prompt/template for performing manual-style audits and is internally consistent. Before using it: (1) ensure your agent performs read-only analysis of repositories and skill files and does not automatically execute installers or 'curl | bash' commands it finds, (2) verify any external repository links the auditor checks (confirm author identity and commit history yourself when possible), and (3) treat the auditor's PASS as guidance, not a guarantee—manually review code for high-privilege skills. If you want stricter guarantees, run audits from a sandboxed environment or a separate reviewer account that has no write or credential access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avxzmcyp60gre07x3h9x0gs83vmca

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments