Evez Skill Vetter
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: evez-skill-vetter Version: 1.0.0 The skill is a security auditing tool designed to perform static analysis on other OpenClaw skills. The primary script, scripts/vet.py, uses regex patterns to detect dangerous functions (e.g., eval, subprocess), hardcoded secrets (API keys, AWS tokens), and obfuscation techniques without executing the target code. The SKILL.md file provides clear documentation and lacks any prompt-injection attempts or deceptive instructions, and the code contains no evidence of data exfiltration or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong folder, the tool may inspect many local files, although the provided code does not send them anywhere.
The scanner recursively reads files under the user-supplied path. This is expected for local static analysis, but it becomes broader than intended if the user points it at a large or private directory.
for filepath in self.skill_path.rglob("*"):
... content = filepath.read_text(encoding="utf-8", errors="ignore")Run it only on the specific skill directory or a copied review folder, not on broad locations such as a home directory.
The command may fail unless click is already installed, and users may need to decide how to obtain that dependency.
The script depends on the external Python package click, but the provided install metadata has no install spec or dependency declaration.
if __name__ == "__main__":
import clickInstall any missing dependency only from a trusted package source, or ask the publisher to declare runtime dependencies explicitly.
A low score from this tool should not be treated as proof that a third-party skill is safe.
The documentation uses strong assurance language for a score produced by a simple static pattern scanner. This is not malicious, but it could cause users to over-trust a low score.
0-20: ✅ Safe — install freely
Use the vetter as an initial linting aid and still review permissions, code behavior, provenance, and any external dependencies manually.