ztp

Before installing or trusting this as a Gatekeeper, consider the following: - Provenance: the skill has no homepage and an unknown source. Ask the publisher for provenance, a cryptographic release, or maintainer contact information before using it as an authoritative gate. - Path mismatch: SKILL.md shows a different script path (skills/openclawSecurity/...) than the included files (scripts/shield_pro.py). Confirm the correct runtime invocation and update the docs to avoid accidental failures. - Dynamic import/execution: the code references a dynamic scan harness (importlib/util and tests that mention a 'trap'). Dynamic importing can execute code; obtain and review the SafeImportHarness implementation to ensure it truly prevents side effects (no fork/exec, no uncontrolled os.system, no network during import). - External/semantic scanning: the tool can optionally call external tools or LLM-based semantic checks. Confirm whether any API keys or network endpoints would be used automatically, which environment variables they would read, and whether code or findings are transmitted outside your environment. - False positives and policy strictness: the forbidden-imports and forbidden-calls lists include commonly-used modules (e.g., functools, open). Expect false positives; plan for a manual-review workflow and test the tool on benign code to understand its rules. - Review risky constructs: review any code that uses importlib, eval/exec handling, or automated dynamic execution traps. Also run the included unit tests in an isolated sandbox to validate behavior. If you need to proceed: run the tool in an isolated environment (air-gapped or heavily restricted container), inspect the SafeImportHarness codepath, and verify that no network connections are made and no environment secrets are read before giving it gatekeeper status.