Skill Trust Guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is openly designed as an install-time safety wrapper, but its registry-skill workflow uses `clawhub install --force` before the scan, so its main safety promise depends on that temporary install being harmless.
Before installing, confirm that `clawhub install --dir <temp>` cannot execute untrusted install hooks or other side effects, and verify that the external `skill-trust-scanner` path points to a trusted, pinned scanner. Prefer explicit use of `install.sh` until you are comfortable with the persistent PATH shim, and avoid `--yes` for warning-range skills unless you have reviewed the scan result.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A skill that should be blocked might still get partially installed or have install-time effects during the temporary fetch step, depending on how `clawhub install` behaves.
For registry targets, the wrapper invokes `clawhub install` with `--force` into a temporary directory before it runs the security scan. If `clawhub install` performs install-time side effects, untrusted skill behavior could occur before the guard makes its allow/block decision.
if ! clawhub "${GLOBAL_OPTS[@]}" --dir "$TMPDIR" install "$TARGET" "${INSTALL_OPTS[@]}" --force ...
...
log "Running pre-install security scan..."Use a true download/inspect API or archive fetch that cannot run install hooks, then scan that content before any install command. Document the containment guarantees if the temporary install approach is retained.
The guard’s decisions depend on whatever scanner code is present locally, so a missing, changed, or untrusted scanner could make the wrapper ineffective or unreliable.
The core trust decision relies on an external scanner located at a mutable local path and executed through `npx tsx`, but that scanner code and its version are not included in the reviewed artifacts.
SCANNER_ROOT="${SCANNER_ROOT:-/home/guofeng/clawd/skill-trust-scanner}"
SCANNER_CLI="${SCANNER_CLI:-$SCANNER_ROOT/src/cli.ts}"
RAW=$(cd "$SCANNER_ROOT" && npx tsx "$SCANNER_CLI" "$SKILL_PATH" --json ...)Install the scanner from a trusted source, pin its version, avoid implicit `npx` resolution where possible, and verify `SCANNER_ROOT`/`SCANNER_CLI` before relying on the guard.
Future install commands may be routed through this wrapper instead of the original CLI, which can block, warn, or change installation flow.
The integration step creates a persistent local `clawhub` shim that intercepts future `clawhub install` commands when the shim directory is placed earlier in PATH.
SHIM_DIR="$HOME/.openclaw/bin" cat > "$SHIM_DIR/clawhub" <<EOF ... if [[ \$# -gt 0 && "\$1" == "install" ]]; then shift exec "$GUARD_DIR/install.sh" "\$@" fi
Only enable the PATH shim if you want ongoing interception. To disable it, remove `~/.openclaw/bin/clawhub` or remove `~/.openclaw/bin` from the front of PATH.