ClawHub

Skill Vetter

v1.0.0

Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.

870· 198k·3.8k current·3.9k all-time
by@spclaudehome
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (skill vetting) match the SKILL.md: it provides a checklist and commands to inspect repos and files. It does not request unrelated credentials, binaries, or installs.
Instruction Scope
Instructions direct the agent to read and review all files of a candidate skill and to run GitHub API/raw content queries for GitHub-hosted skills. This is appropriate for vetting, but the instructions assume the agent may perform network calls and full file reads — ensure the agent is authorized to access those repos and that you intend that level of access.
Install Mechanism
No install spec and no code files — lowest-risk model. The provided quick-commands use curl/jq against GitHub; those are reasonable for repo inspection and do not introduce installation-time downloads or extracted archives.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to a vetting/checklist skill.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent system presence or attempt to modify other skills or system-wide settings.
Assessment
This is a coherent, low-risk instruction-only vetting skill: it contains a sensible checklist and GitHub query examples and does not ask for secrets or installs. Before using it, remember: (1) vetting requires the agent to read candidate skill files and may perform network calls — confirm you want those permissions; (2) the checklist helps detect obvious red flags but does not guarantee detection of cleverly obfuscated or time-delayed malicious code, so for high-risk skills perform a human code review; (3) run the quick curl commands from a controlled environment (no privileged credentials in the shell) and avoid pasting sensitive tokens into outputs. If you want stronger guarantees, require manual human approval for skills classified as MEDIUM+ or that request any credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978d3cmths4ddks45veag5yq5809mez

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments