ClawHub
Other

Skill Vetter Workflow Helper

Kyro@kyro-ma

Review ClawHub or Codex skill packages before installation or publication. Use when a user needs a security, privacy, quality, dependency, prompt-injection, or maintainability assessment of a skill folder, GitHub repo, or marketplace listing.

Install

openclaw skills install @kyro-ma/work-productivity-skill-vetter-workflow-helper-130446

Skill Vetter Workflow Helper

Requirement

Use this skill when a user needs to decide whether a skill package is safe, useful, and maintainable before installing, publishing, or recommending it.

The validated demand came from Skill Vetter-style ClawHub workflows, security-first installation concerns, and GitHub/developer signals about checking generated or third-party automation before use. This skill is an audit workflow, not a generic checklist generator.

Workflow

  1. Identify the package boundary: skill folder, manifest, agents, scripts, references, external links, and install instructions.
  2. Read the declared purpose and compare it with the actual files, commands, dependencies, and permissions requested.
  3. Check security risks: destructive commands, network exfiltration, credential handling, shell injection, unsafe downloads, hidden binaries, and prompt-injection surfaces.
  4. Check privacy risks: files read by default, logs retained, telemetry, API keys, local documents, browser state, and user content copied to remote services.
  5. Check quality risks: vague trigger conditions, missing validation, broken frontmatter, stale links, generated boilerplate, duplicated skills, and unverifiable claims.
  6. Score severity with concrete evidence and separate blockers from warnings and improvement suggestions.
  7. Produce a decision: safe to install, safe with changes, publishable after fixes, or reject.

Expected Outputs

  • A concise audit report with findings ordered by severity.
  • File and line references when local files are available.
  • A risk matrix covering security, privacy, quality, dependency, and maintainability.
  • A final install/publish recommendation with required fixes.

Validation

  • Findings cite concrete files, commands, manifests, or observed behavior.
  • The report distinguishes confirmed issues from assumptions.
  • High-risk items include actionable remediation.
  • The final recommendation is clear enough for a maintainer to act on without rereading the package.

Triggers

Keywords: skill vetter, skill review, ClawHub safety, preinstall audit, prompt injection, dependency risk, publish review, marketplace vetting.

Example trigger sentences:

  • Use $work-productivity-skill-vetter-workflow-helper to audit this skill before I install it.
  • Review this ClawHub package for security and privacy risks.
  • Tell me whether this generated skill is publishable or should be rejected.