ClawHub

SkillGate Governance

v0.1.2

Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore.

0· 512·0 current·0 all-time
by@liyecom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state supply-chain governance for OpenClaw skills and the SKILL.md instructs the agent to run an npm-scoped package (@skillgate/...) via npx. The declared required binaries (node, npm) match that need; no unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions focus on scanning a provided directory and explain quarantine/restore as operations on the target directory. They recommend using npx with a pinned version and show verification steps. Important operational note: npx will download and execute code from the npm registry (network fetch on first run) and quarantine operations can move/modify files inside the directory you pass — both are expected for this purpose but are material security actions the user should be aware of.
Install Mechanism
There is no install spec for the skill itself, but runtime instructions rely on npx to fetch and run @skillgate/openclaw-skillgate@0.1.3 from npm. This is a standard mechanism for Node tools but implies executing remote package code (moderate risk); the SKILL.md provides sensible verification commands (npm view, repo URL) to mitigate that risk.
Credentials
The skill requests no environment variables, credentials, or config paths — consistent with a local governance scanner that only needs node/npm and operates on a user-supplied directory.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. The only elevated action described is quarantining (moving/marking) files inside a target directory, which is appropriate for the stated functionality and scoped to the user-specified target.
Assessment
This skill appears to do what it says: it runs an npm-scoped scanner to inspect a directory and can quarantine skills by moving files in the directory you pass. Before running it, consider: (1) prefer the pinned version shown in SKILL.md and run the provided npm view / dist.integrity verification to confirm package provenance; (2) run scans read-only where possible and only use quarantine/restore when you trust the tool; (3) be aware npx will fetch and execute code from the npm registry — if you have strict supply-chain requirements run the package in a sandbox or inspect its source first (the SKILL.md points to the GitHub repo); (4) avoid running quarantine on system or shared directories you don’t control. Overall the skill is internally consistent, but treat remote-executed packages and file-moving operations with standard caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk978egjett0p7jwck0hepgxnqs81nnf0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsnode, npm

Comments