Skill Guardian
Safely manage your AI skill collection with trust scoring, security vetting, delayed auto-updates, and pending periods for new skills. Use when adding new sk...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 28 · 0 current installs · 0 all-time installs
by@liefqin
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: registry management, pending periods and trust-based updates are implemented. However the vetting step is effectively a placeholder (vet_skill returns a hard-coded trust_score and does not parse vetter output), so the claim 'Auto-scans every skill before adding' is misleading unless you provide/verify a working skill-vetter implementation.
Instruction Scope
Runtime instructions and scripts execute other programs (clawhub CLI and a skill-vetter script) and write a local registry JSON. add_skill calls an external vet.py via subprocess, check_updates runs 'clawhub list', and apply_updates runs 'clawhub update' which will fetch and install external code — these are expected for an updater but grant the skill the ability to trigger installation/execution of other skills. auto_run uses shell=True to invoke commands, which is more brittle and increases risk if paths are manipulated.
Install Mechanism
No install spec — instruction-only plus included Python scripts. Nothing is downloaded by the skill itself; external downloads happen via the clawhub CLI when you run updates (expected for an updater).
Credentials
No environment variables or secrets requested. Required components (Python, clawhub CLI, skill-vetter) are relevant to the stated purpose. The number and type of external requirements are proportionate to a registry/updater tool.
Persistence & Privilege
always:false (no forced always-on). The documentation recommends adding cron jobs and even shows examples using /root/.openclaw/workspace — running scheduled jobs as root or modifying system crontab increases risk and should be considered carefully. The skill will run periodically and may auto-update other skills if scheduled.
What to consider before installing
What to check before installing or scheduling Skill Guardian:
- Vetting is not implemented in the code provided: add_skill calls a vetter subprocess but returns a placeholder trust score (80) instead of parsing real vetter output. Confirm that a trustworthy skill-vetter (and its scripts/vet.py) exists at the expected path and inspect it before relying on automated vetting.
- The scripts will invoke the clawhub CLI to list and update skills. apply_updates will run 'clawhub update', which can download and install third-party code — that's the intended function, but it means a compromised or malicious package reachable via clawhub could be installed automatically based on registry entries.
- auto_run uses shell=True to run commands and the README/crontab examples reference running under /root/.openclaw/workspace. Avoid adding the cron entries as root until you've tested behavior in a safe, non-privileged environment.
- The check_updates parsing is brittle (parses clawhub list output by splitting lines). Expect false positives/negatives; consider testing check_updates/apply_updates with dry-run to see what would happen.
- Before trusting automatic promotions/updates, manually inspect assets/skill-registry.json and the contents of skill-vetter and any skills you add. Prefer initially running scripts manually (use --dry-run where available) and validate that vetter output and trust-score calculations match the policy described in references/trust-ratings.md.
If you want to proceed: (1) run the vetter scripts manually and inspect their code, (2) run check_updates/apply_updates with --dry-run, (3) test scheduling in a non-root account, and (4) back up your workspace/registry file so you can roll back if an unexpected update is applied.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download zipauto-updatecron-readycurationguardianlatestsafetysecurityskill-managementtrust-scoringversion-controlvetting
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Skill Guardian 🛡️
Your AI skill security guard — Track, vet, and safely update your skill collection.
Tags: security skill-management trust-scoring auto-update cron-ready safety version-control curation vetting guardian
Why Use Skill Guardian?
🔒 Security First — Auto-scans every skill before adding
📊 Trust Scores — Know which skills are safe at a glance
⏰ Smart Updates — High-trust skills (≥90) update immediately, others wait 10 days
📝 Pending Period — New skills wait 5-10 days before activation
🤖 Auto-Scheduled — Runs 1-2 times daily automatically
Quick Start
1. Install & Setup
# Install the skill
clawhub install skill-guardian
# Set up automated monitoring (recommended)
# See "Automated Scheduling" section below
2. Add a Skill Safely
python3 scripts/add_skill.py --name summarize --source clawhub
Skill Guardian will:
- ✅ Run security checks
- ✅ Assign trust score (0-100)
- ✅ Add to pending queue (5-10 days)
- ✅ Auto-promote after waiting period
3. View Your Collection
python3 scripts/list_skills.py # Active skills
python3 scripts/show_skill.py summarize # Detailed info
4. Smart Updates
Check for updates:
python3 scripts/check_updates.py
Apply updates (intelligent rules):
python3 scripts/apply_updates.py --all
Update Rules:
- 🌟 Trust ≥90: Immediate update
- ⏳ Trust 70-89: 10-day grace period
- 🛑 Trust <70: Manual approval required
Override for urgent updates:
python3 scripts/apply_updates.py summarize --force
5. Process Pending Skills
Manually check pending queue:
python3 scripts/process_pending.py
Automated Scheduling ⏰ (Recommended)
Skill Guardian works best when run automatically 1-2 times daily.
Option 1: System Cron
Add to crontab for morning (8am) and evening (8pm) runs:
# Edit crontab
crontab -e
# Add these lines
0 8 * * * cd /path/to/workspace && python3 skills/skill-guardian/scripts/auto_run.py
0 20 * * * cd /path/to/workspace && python3 skills/skill-guardian/scripts/auto_run.py
Option 2: Single Daily Run
# Once daily at 9am
0 9 * * * cd /path/to/workspace && python3 skills/skill-guardian/scripts/auto_run.py
Option 3: Manual Execution
If you prefer manual control:
# Full auto-run workflow
python3 skills/skill-guardian/scripts/auto_run.py
# Or step by step:
python3 scripts/process_pending.py # Promote pending skills
python3 scripts/check_updates.py # Check for updates
python3 scripts/apply_updates.py --all # Apply updates
What Auto-Run Does
Each execution performs:
- 🔍 Process Pending — Promote skills that passed 5-10 day waiting period
- 📦 Check Updates — Detect new versions of all skills
- 🔄 Apply Updates — High-trust (≥90) update immediately, others queued
- 📊 Report Status — Show current registry state
Trust Score Explained
| Score | Level | Update Behavior | Badge |
|---|---|---|---|
| 90-100 | 🟢 Verified | Immediate auto-update | 🌟 |
| 70-89 | 🟡 Trusted | 10-day grace period | ⏳ |
| 50-69 | 🟠 Caution | Manual approval required | ⚠️ |
| <50 | 🔴 Risky | Blocked from auto-add | 🛑 |
Included Trusted Skills
| Skill | Trust | Source | Purpose |
|---|---|---|---|
| jax-skill-security-scanner | 92 | clawhub | Advanced security scanning |
| skill-vetter | 95 | clawhub | Security vetting |
| find-skills | 90 | clawhub | Discover skills |
| skill-creator | 85 | clawhub | Create new skills |
New Skill Workflow
User/Auto-detect finds skill
↓
Security vetting
↓
PENDING queue (5-10 days)
↓
Waiting period
↓
Auto-promoted ✓
Update Workflow
Check detects new version
↓
Trust ≥90? ──→ Immediate update
↓ No
10-day delay
↓
Auto-apply
Advanced
Requirements
- Python 3.8+
- clawhub CLI installed
- skill-vetter (for security scanning)
- Cron (optional, for automation)
License
MIT
Files
12 totalSelect a file
Select a file to preview.
Comments
Loading comments…