Skill Guard — Pre-Install Security Scanner

v1.0.0

Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads...

⭐ 0· 67·0 current·0 all-time

byzinou@casperzinou·duplicate of @kenswj/skill-guard-1-0-2

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for casperzinou/talonforge-skill-guard.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Skill Guard — Pre-Install Security Scanner" (casperzinou/talonforge-skill-guard) from ClawHub.
Skill page: https://clawhub.ai/casperzinou/talonforge-skill-guard
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install talonforge-skill-guard

ClawHub CLI

Package manager switcher

npx clawhub@latest install talonforge-skill-guard

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The script implements a pre-install scanner that stages a skill, runs mcp-scan, and installs only on success — this matches the declared purpose. However, the registry metadata in the submission claims no required binaries/env, while SKILL.md and the script clearly require 'clawhub' and 'uvx' (and optionally use CLAWHUB_WORKDIR). Additionally, top-level metadata (ownerId/slug/version) does not match the _meta.json contents. These inconsistencies between manifest and runtime expectations reduce trust.

ℹ

Instruction Scope

The SKILL.md and safe-install.sh are narrowly scoped: they fetch a skill to /tmp, run a scanner against that staging folder, and move files to the skills directory only on success. That's appropriate for a pre-install scanner. Caveats: the script supports '--skip-scan' which can bypass the protection, it suggests moving staged files manually to install anyway (expected but dangerous if followed blindly), and it sources '$HOME/.local/bin/env' as a fallback for uvx which is an unusual path and broadens what the script touches.

Install Mechanism

The skill is instruction-only but recommends and relies on tools that pull and execute remote code: it suggests installing 'uv' via 'curl -LsSf https://astral.sh/uv/install.sh | sh' and runs 'uvx mcp-scan@latest', which will fetch code at runtime. Using a network installer (curl | sh) and executing latest-tag remote packages increases risk. These behaviors are coherent with the purpose (running a third-party scanner) but are a source of supply-chain risk and should be validated against trusted releases.

✓

Credentials

The skill does not request credentials or sensitive environment variables. It reads CLAWHUB_WORKDIR (optional) and uses standard locations ($HOME, /tmp). It does not request unrelated secrets or broad system access. This is proportionate to its goal.

✓

Persistence & Privilege

The skill is not always-enabled and is user-invocable. It does not request to persistently modify other skills or global agent settings. The script writes only to a staging directory and (on successful install) moves the staged skill into the normal skills directory — expected behavior for an installer.

Scan Findings in Context

[ignore-previous-instructions] expected: The SKILL.md explicitly mentions prompt-injection patterns (including the phrase 'IGNORE PREVIOUS INSTRUCTIONS') as examples of threats. The regex scanner flagged that pattern; it is expected given the skill's documented purpose of detecting prompt injections, but the presence of that exact phrase in content could also be used in other contexts as an attack vector — manual review of staged files is still recommended.

What to consider before installing

This script mostly behaves as a pre-install scanner and is coherent with its purpose, but before using it you should: (1) verify the package ownership and metadata — the included _meta.json and the top-level registry metadata disagree; (2) avoid running the recommended 'curl | sh' installer unless you trust that source — prefer installing uv/uvx and mcp-scan from vetted, pinned releases; (3) inspect staged files in /tmp/skill-guard-staging/ before you move them into your real skills folder; (4) be cautious about using or exposing the '--skip-scan' option or manually moving quarantined skills into your workspace; and (5) prefer to pin a known-safe mcp-scan release rather than running '@latest' to reduce supply-chain risk. If you need higher assurance, request checksums or a signed release for the scanner and confirm the owner's identity/version metadata.

SKILL.md:22

Prompt-injection style instruction pattern detected.

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

clawhubvk975p248v9jnta6cj6611h3gd584zk4xlatestvk975p248v9jnta6cj6611h3gd584zk4xsafetyvk975p248v9jnta6cj6611h3gd584zk4xscannervk975p248v9jnta6cj6611h3gd584zk4xsecurityvk975p248v9jnta6cj6611h3gd584zk4xskillvk975p248v9jnta6cj6611h3gd584zk4xtalonforgevk975p248v9jnta6cj6611h3gd584zk4x

67downloads

0stars

1versions

Updated 1w ago

v1.0.0

MIT-0

skill-guard

The only pre-install security gate for ClawHub skills.

Why skill-guard?

	VirusTotal (ClawHub built-in)	skillscanner (Gen Digital)	skill-guard
When it runs	After publish (server-side)	On-demand lookup	Before install (client-side)
What it checks	Malware signatures	Their database	Actual skill content
Prompt injections	❌	❌	✅
Data exfiltration URLs	❌	❌	✅
Hidden instructions	❌	❌	✅
AI-specific threats	❌	❌	✅
Install blocking	❌	❌	✅

VirusTotal catches known malware binaries — but won't flag .

skillscanner checks if Gen Digital has reviewed it — but can't scan new or updated skills.

skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.

The Problem

Skills can contain:

🎭 Prompt injections — hidden "ignore previous instructions" attacks
💀 Malware payloads — dangerous commands disguised in natural language
🔑 Hardcoded secrets — API keys, tokens in plain text
📤 Data exfiltration — URLs that leak your conversations, memory, files
⛓️ Toxic flows — instructions that chain into harmful actions

One bad skill = compromised agent. Your agent trusts skills implicitly.

The Solution

# Instead of: clawhub install some-skill
./scripts/safe-install.sh some-skill

skill-guard:

Downloads to staging (/tmp/) — never touches your real skills folder
Scans with mcp-scan — Invariant/Snyk's security scanner for AI agents
Blocks or installs — clean skills get installed, threats get quarantined

What It Catches

Real example — skill-guard flagged this malicious skill:

● [E004]: Prompt injection detected (high risk)
● [E006]: Malicious code pattern detected  
● [W007]: Insecure credential handling
● [W008]: Machine state compromise attempt
● [W011]: Third-party content exposure

VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.

Usage

# Secure install (recommended)
./scripts/safe-install.sh <skill-slug>

# With version
./scripts/safe-install.sh <skill-slug> --version 1.2.3

# Force overwrite
./scripts/safe-install.sh <skill-slug> --force

Exit Codes

Code	Meaning	Action
`0`	Clean	Skill installed ✓
`1`	Error	Check dependencies/network
`2`	Threats found	Skill quarantined in `/tmp/`, review before deciding

When Threats Are Found

Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:

Review — read the scan output, inspect the files
Install anyway — mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/
Discard — rm -rf /tmp/skill-guard-staging/

Requirements

clawhub CLI — npm i -g clawhub
uv — curl -LsSf https://astral.sh/uv/install.sh | sh

Why This Matters

Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:

Read your secrets and send them elsewhere
Modify your agent's behavior permanently
Use your identity to spread to other systems

Trust, but verify. Scan before you install.

Comments

Loading comments...