Release Guard
Security checks across malware telemetry and agentic risk
Overview
Release Guard appears to be a narrow local pre-publish checker; the main caution is that it reads the folder you point it at and may print secret-like lines for review.
This skill looks safe to use for its stated purpose if you intentionally run the Bash script on a specific skill folder. Do not point it at large private workspaces, and review any secret-like output privately before publishing.
VirusTotal
59/59 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong directory, the report could include file paths or matching lines from unrelated local content.
The script traverses and scans a directory supplied by the user. The path is quoted and this behavior matches the skill purpose, but the user should ensure the selected path is only the intended skill folder.
file_count=$(find "$skill_dir" -type f ... | wc -l ...); grep -RInE ... "$skill_dir"
Run it only against the specific OpenClaw skill folder you intend to review, not a home directory or broader workspace.
If a real credential is accidentally present in the scanned folder, it may be displayed in the report and briefly stored in a local temporary file.
Secret-like matches are written to a temporary local file and then printed into the report. This is purpose-aligned for detecting accidental credentials, but real secrets would enter the agent/output context.
grep -RInE '(api[_-]?key|secret|token|password)[[:space:]]*[:=]' "$skill_dir" ... >/tmp/release-guard-secret.$$ ...; sed -n '1,20p' /tmp/release-guard-secret.$$
Use the tool in a private workspace, treat secret findings as sensitive, and remove any real credentials before publishing.