skill-vettr

What This Skill Does

skill-vettr is a specialized security analysis agent designed to harden the OpenClaw ecosystem. Before you integrate third-party skills from public repositories like ClawHub, it is critical to verify that they do not contain malicious code, backdoors, or patterns indicative of supply-chain attacks. This skill acts as a static analysis engine that scrutinizes source code, package configurations, and metadata. By utilizing tree-sitter for robust AST (Abstract Syntax Tree) parsing and regex-based pattern matching, it identifies risky operations—such as dangerous eval() calls, unsanitized spawn() commands, and suspicious shell execution patterns—before you commit to an installation.

Installation

To add this security layer to your environment, execute the following command in your terminal:

clawhub install openclaw/skills/skills/britrik/publish-skill-vettr

Once installed, ensure you have Node.js available in your environment, as the engine relies on WASM grammar files to interpret various programming languages during analysis. Please note the security warning regarding dependency installation: running npm install within the skill directory executes lifecycle scripts. For the highest level of security, consider running the installation within a containerized environment to prevent untrusted code from modifying your local system configurations.

Use Cases

This skill is an essential tool for developers and security-conscious OpenClaw users. Use it when:

• Installing community-sourced skills from untrusted or unverified developers.
• Auditing new dependencies added to your existing projects to ensure no typosquatting is present.
• Checking for potential prompt injection vulnerabilities hidden within skill metadata or logic.
• Validating whether a skill is attempting to access sensitive system files or restricted network endpoints.

Example Prompts

1. "vettr, please analyze the skill located at /home/user/downloads/my-new-tool and tell me if it contains any dangerous shell execution commands."
2. "Use skill-vettr to scan the repository at https://github.com/unknown-dev/experimental-plugin and alert me to any suspicious network calls."
3. "Can you vet the 'cool-image-editor' skill from ClawHub before I install it to ensure it isn't an attempt at a typosquatting attack?"

Tips & Limitations

• Isolation: Always prefer running scans on cloned repositories in a sandboxed VM or container.
• Heuristic Nature: Remember that this is a static analysis tool. It excels at identifying common signatures of malicious behavior, but it cannot guarantee immunity against highly sophisticated, obfuscated zero-day exploits.
• External Binaries: The tool is designed to work with restricted permissions. It invokes git, curl, and tar specifically for fetching, ensuring minimal surface area for potential exploitation during the vetting phase.