ClawHub

HIIC-skill-vetter

v1.0.0

Practical skill vetting workflow for AI agents. Prioritizes clear yes/no risk judgments, concise conclusions, and business-aware risk tolerance before instal...

0· 99·0 current·0 all-time
byHIIC-Wayne@waytobetter619
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (a skill-vetter) matches the included assets (SKILL.md, vet_scan.py, vet-scan.sh). No unrelated env vars, binaries, or platform credentials are requested.
Instruction Scope
Runtime instructions are limited to reviewing SKILL.md and running the included scanner against a target skill directory. The scanner only reads files under the provided target directory (root.rglob) and looks for risky patterns; it does not instruct reading system-wide secrets or making outbound network calls.
Install Mechanism
No install spec. This is an instruction-only skill with local Python/shell helpers. There are no downloads or archive extraction steps; importing yaml is optional and not installed automatically.
Credentials
The skill declares no environment variables or credentials. The scanner searches for tokens/patterns inside the target directory but does not require or access external secrets itself.
Persistence & Privilege
always is false and the skill does not attempt persistence, system service installation, or elevated operations. The code contains no sudo/chown/chmod root operations.
Scan Findings in Context
[dynamic_execution_patterns_present_in_scanner] expected: The scanner contains regexes for eval/exec/bash -c/subprocess — this is intentional: the vetter looks for those patterns in other skills to flag dynamic execution risks.
[sensitive_file_patterns_present_in_scanner] expected: Patterns for .env, ~/.ssh, ~/.aws, token, cookie, etc., appear in the scanner. This is appropriate because the tool's purpose is to detect sensitive-access indicators in target skill directories.
[network_call_patterns_present_in_scanner] expected: Regexes for curl/wget/https:///requests/axios are present; expected because the vetter searches for outbound/network-related code in scanned skills.
Assessment
This skill is a local vetting helper and appears safe to use. It will read files under whatever directory you point it at (so do not run it against directories that contain your real secrets like ~/.ssh or other private data). The scanner only inspects files and patterns — it does not itself make network calls or change system settings. Two practical precautions: (1) run the scanner in a sandbox or on a copy of the skill directory if it contains credentials, and (2) remember the vetter is an automated triage helper with a 'safe-by-default' policy and concise outputs — follow up with manual review for anything flagged as medium/high risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97be1ztjgtzby728renx3pwph83k80a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments