Skill Guardian

WarnAudited by ClawScan on May 10, 2026.

Overview

Skill Guardian matches its stated purpose, but its security scoring is largely placeholder code while it can automatically update other skills on a recurring schedule.

Review this skill carefully before installing or scheduling it. It does not show data theft or obvious malicious behavior, but its security claims are stronger than its implementation, and its auto-update workflow can change other installed skills. Prefer manual or dry-run mode until real vetting, exact update verification, and per-update approval are added.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI09: Human-Agent Trust Exploitation

What this means

You may believe a skill has been meaningfully security-vetted when the provided code did not actually evaluate the scanner result.

Why it was flagged

The shown vetting implementation ignores the captured vetter output and returns a fixed passing score, so the advertised trust score may not reflect real security checks.

Skill content

# Parse vetter output (simplified)
return {
    "trust_score": 80,  # Placeholder - would parse actual output
    "risk_flags": [],
    "passed": True
}

Recommendation

Require the vetter to return success, parse and display its real findings, fail closed on errors or nonzero results, and avoid assigning trust scores until real vetting is implemented.

High

#ASI02: Tool Misuse and Exploitation

What this means

A skill update can change future agent behavior without the user reviewing that specific update first.

Why it was flagged

The script can invoke the ClawHub CLI to update skills automatically based on registry trust scores, including immediate updates for high-trust entries.

Skill content

if is_high_trust:
    print(f"🌟 {skill_name}: High trust score ({trust_score}) - immediate update allowed")
...
subprocess.run(
    ["clawhub", "update", skill_name, "--version", info["latest_version"]],
    check=True,
    timeout=120
)

Recommendation

Make dry-run the default, require explicit confirmation per update, verify the exact package and version before updating, and provide rollback instructions.

Medium

#ASI10: Rogue Agents

What this means

The skill can keep making changes to the skill registry/update state after the original setup, especially if added to cron.

Why it was flagged

The documentation recommends persistent scheduled execution, and the scheduled workflow includes applying updates.

Skill content

🤖 **Auto-Scheduled** — Runs 1-2 times daily automatically
...
Skill Guardian works best when run automatically 1-2 times daily.
...
3. 🔄 **Apply Updates** — High-trust (≥90) update immediately, others queued

Recommendation

Only enable scheduling if you want autonomous updates; otherwise run manually. If scheduled, log actions, review queued updates, and keep an easy way to disable the cron job.

Medium

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A misidentified or insufficiently verified update could be queued and later applied to the user's skill environment.

Why it was flagged

The shown update detection relies on substring parsing of a global list output rather than exact package identity, source binding, or signed/versioned metadata before updates are applied.

Skill content

result = subprocess.run(
    ["clawhub", "list"],
    capture_output=True,
    text=True,
    timeout=30
)
...
if skill_name in line:
    parts = line.split()
    if len(parts) >= 2:
        return parts[1]  # Version column

Recommendation

Use exact package identifiers, owner/source checks, signed or API-provided metadata, changelog review, and explicit user approval before applying updates.