from skill-vetter19
Pre-install security gate that scans a skill for prompt-injection, secrets, and other vulnerabilities before installation.
Skill Vetter runs multiple security scanners against a skill (SKILL.md, scripts, repo contents) and produces a clear verdict: BLOCKED, REVIEW, or SAFE. It aggregates results from prompt-injection checks, static analysis, secrets scanning, and structural checks to help an operator decide whether to install a skill. Typical outputs list which scanners ran, findings by severity, and an explicit recommendation.
Run Skill Vetter before installing any third-party skill from ClawHub, GitHub, or other sources. Trigger it when a user mentions installing or adding a new skill, or whenever automated installs are considered. Use it to gate installs in high-security or multi-agent environments.
Ideal for OpenClaw and Claude Code environments; any agent that manages skill installation or can call shell scripts can integrate with Skill Vetter.
Skill Vetter is a multi-scanner security gate designed to vet incoming skills before installation. No bundled scripts were found in the database, so only static analysis of the SKILL.md was possible. The SKILL.md describes a vett.sh orchestrator and check-deps.sh but neither script content was available. The concept is sound — running aguara, skill-analyzer, secrets-scan, and structure-check against skills — but the heavy dependency requirements (Go tool, Cisco Python tool) limit practical usability.
aguara (Go-based prompt scanner)skill-analyzer (Cisco AI skill scanner)SKILL.md is clean with no malicious patterns. Frontmatter is minimal — missing the openclaw metadata block. No references/ directory or bundled scripts available for review. The skill describes 4 external scanners as dependencies but none are included, making it more of a blueprint than a ready-to-use skill. The security focus is legitimate and well-intentioned.
