skill-guard
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its security-scanning purpose, but its installer uses a user-supplied skill name in recursive delete paths without validation, which could delete unintended local files if given a crafted name.
Do not let an agent run this on untrusted or unusual skill names until slug validation is fixed. If you use it, only pass normal ClawHub slugs, avoid --skip-scan and --force unless you understand the effect, and consider pinning the external scanner version.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken skill name could cause the installer to delete user-writable files outside the staging area before any scan runs.
The positional skill slug is used directly in a recursive delete path before any visible slug/path validation; path separators or ../ segments could escape the intended staging directory.
SKILL_SLUG="$1" ... rm -rf "$STAGING_DIR/skills/$SKILL_SLUG"
Validate slugs against the ClawHub slug format, reject slashes and dot-dot segments, canonicalize paths, and verify the target remains under the intended staging or skills directory before any rm -rf.
The scanner behavior and code can change over time, so the security gate depends on the current state of an external package source.
The security check depends on executing the latest available external mcp-scan package rather than a pinned version.
scan_output=$(uvx mcp-scan@latest --skills "$staged_path" 2>&1)
Pin mcp-scan to a reviewed version, document required binaries in metadata, and consider using lockfiles or hashes for repeatable installs.
Agents reading the raw skill text will see prompt-injection examples, though they are framed as threats rather than commands.
The skill includes a prompt-injection phrase as an example of what it detects; context indicates it is explanatory, not an instruction to follow.
Prompt injections — hidden "ignore previous instructions" attacks
Keep injection examples fenced, neutralized, and clearly labeled as examples so models do not treat them as active instructions.