ClawHub

Claw Skill Vetter Pro

v1.0.0

Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,...

0· 136·1 current·1 all-time
by@williamwang-wh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the content: SKILL.md is a manual vetting checklist and provides GitHub API curl examples. It does not request credentials or install components, which is proportionate. Note: the _meta.json ownerId differs from the registry ownerId provided in the submission metadata and there's no homepage/source URL — that provenance mismatch is worth verifying before trusting this vetter.
Instruction Scope
Instructions are a human-style checklist (read all files, look for red flags, run provided curl queries). This stays within vetting scope, but it is high-level and manual — it relies on the agent/human having access to skill files and network. It does instruct 'Read ALL files in the skill', which is expected for a vetter but means the agent must be granted file access to the target skill only (avoid giving it broader system permissions).
Install Mechanism
No install spec and no code files — lowest install risk. Nothing will be written to disk by the skill itself.
Credentials
The skill requires no environment variables, credentials, or config paths; that is proportionate for an instruction-only vetting checklist.
Persistence & Privilege
always:false and default model invocation settings are used. The skill does not request persistent installation or elevated privileges.
Scan Findings in Context
[no-regex-findings] expected: The static scanner found no code to analyze because this is an instruction-only skill; that is expected for a checklist-style vetter.
Assessment
This skill is a manual vetting checklist and appears coherent and low-risk, but verify provenance before relying on it: confirm the author/owner, ensure the _meta.json ownerId matches the registry/source, and prefer running vetting actions in a sandbox or with access limited only to the target skill's files and network. Remember this tool is a checklist — it does not perform automated deep scanning, so perform human review for high-risk skills (credentials, system access, obfuscated code).

Like a lobster shell, security has layers — review code before you run it.

latestvk9797mq0ddsdcta24r8vwja54x83xgrm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments