Guard Scanner

The skill's stated purpose (an agent/MCP security scanner and runtime guard) largely matches its code and features, but there are packaging and instruction inconsistencies (instruction-only claim vs large codebase, missing install spec, undocumented optional env use) that warrant caution before installation or granting runtime privileges.

Key things to check before installing or running this skill: 1) Packaging provenance: confirm the npm package name (@guava-parity/guard-scanner) and inspect the published tarball (npm pack or view on the registry). The skill metadata claims "instruction-only" but the archive contains source and plugin hooks — ask the maintainer to explain this mismatch. 2) Inspect build/artifact used for runtime plugin: SKILL.md refers to a compiled plugin entry (dist/openclaw-plugin.mjs). If you will mount the runtime guard, review the actual compiled artifact (not just source) that will run inside your agent and verify no unexpected network endpoints or credential exfiltration code. 3) Run in monitor mode first: if you enable the MCP/server or before_tool_call hook, start in 'monitor' so it logs findings without blocking agent behavior. Only escalate to 'enforce'/'strict' after manual review. 4) Network execution via npx: the CLI examples use npx/npm exec which fetches code from npm at runtime. Prefer downloading and inspecting the package before running npx, or install from a vetted internal registry. 5) Optional credentials: VT_API_KEY is optional for VirusTotal integration — only provide it if you want that feature. The skill does not declare other required secrets, which is proportional, but double-check any prompts or plugins for undocumented env usage. 6) Review plugin extensibility: features like --plugin allow loading local modules; treat these as code execution surfaces and audit any plugin you load. 7) Ask for repo/homepage: the registry listing lacks a homepage/source link. If you rely on this tool in production, request a public source repo, reproducible build instructions, and SBOM/provenance to validate supply chain claims. Given the mixture of coherent security functionality and packaging/instruction inconsistencies, proceed with caution: verify the published package and plugin artifacts before enabling runtime guard mode.