skill-guard
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: skill-guard Version: 1.0.2 This skill, 'skill-guard', is designed to enhance security by scanning other OpenClaw skills for vulnerabilities before installation. The `SKILL.md` documentation clearly outlines its purpose and methods, without any prompt injection attempts. The `scripts/safe-install.sh` script uses legitimate tools (`clawhub`, `uvx`, `mcp-scan`) to download skills to a temporary staging area (`/tmp`), scan them, and only install them if no security issues are detected. It does not exhibit any malicious behaviors such as data exfiltration, unauthorized remote control, or persistence mechanisms. While the installation instructions for its `uv` dependency suggest `curl | sh`, this is a common method for that specific tool and is an instruction for the user, not an action performed by the skill's core logic for a malicious payload.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or malicious skill name could cause the installer to delete or move files outside the intended OpenClaw skill folder.
The user-controlled skill slug is concatenated into recursive delete paths without validation or realpath containment checks. A slug containing path traversal such as '..' or '/' could target paths outside the staging or skills directory.
SKILL_SLUG="$1" ... rm -rf "$STAGING_DIR/skills/$SKILL_SLUG" ... rm -rf "$SKILLS_DIR/$SKILL_SLUG"
Validate slugs against a strict registry-safe pattern, reject slashes and '..', use mktemp for staging, and verify resolved paths stay inside the intended directory before any rm, mv, or scan operation.
The scanner behavior or trustworthiness could change if the upstream package changes or is compromised.
The scanner is executed from an external package reference using '@latest', so the code run by the security gate can change between invocations. This is central to the skill's purpose, but it is not pinned.
scan_output=$(uvx mcp-scan@latest --skills "$staged_path" 2>&1)
Pin mcp-scan to a reviewed version or lockfile, document the external dependency in metadata, and consider verifying package provenance.
This does not look like an active attempt to override the agent, but users may see scanner warnings because the skill discusses prompt-injection examples.
Prompt-injection wording appears in the skill text as an explanatory example. In context this is expected for a scanner skill, but it explains the static prompt-injection signal.
Prompt injections — hidden "ignore previous instructions" attacks
Keep examples clearly fenced or neutralized so security scanners and agents do not confuse them with executable instructions.