skill-vetter
Security vetting protocol before installing any AI agent skill. Red flag detection for credential theft, obfuscated code, exfiltration. Risk classification LOW/MEDIUM/HIGH/EXTREME. Produces structured vetting reports. Never install untrusted skills without running this first.
Why use this skill?
Use the skill-vetter to audit AI agent skills for malicious code, credential theft, and data exfiltration risks before installation. Protect your agent today.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/donovanpankratz-del/openclaw-skill-vetterWhat This Skill Does
The skill-vetter is a mandatory security-first protocol designed to protect your agent workspace from malicious, obfuscated, or compromised AI agent skills. It acts as an automated security auditor, conducting a systematic investigation into the origin, code structure, and permission scope of any third-party code before it is allowed to execute within your environment. It systematically identifies potential red flags, such as attempts to exfiltrate system credentials, unauthorized network calls, or the usage of obfuscated shell commands.
Installation
To install this essential security utility, run the following command in your terminal:
clawhub install openclaw/skills/skills/donovanpankratz-del/openclaw-skill-vetter
Use Cases
Use this skill whenever you are integrating new functionality into your agent. Specifically, run it:
- Before installing any external skills sourced from community hubs like ClawHub.
- When evaluating open-source projects or scripts pulled from GitHub repositories.
- If you receive a skill file from another AI agent or human contributor.
- Whenever an unexpected prompt suggests installing an unknown package or utility.
Example Prompts
- "I found a new automation script on GitHub. Please run skill-vetter on the files in this directory before I proceed with the installation."
- "Vetter, I am about to install the 'browser-optimizer' skill from ClawHub. Please generate a full risk classification report."
- "Run a security audit on the latest skill update and confirm if it attempts to access my ~/.aws folder or any environment variables."
Tips & Limitations
- Principle of Least Privilege: Always reject skills that demand elevated system permissions unless they are mission-critical.
- Manual Review: While the automated checks are robust, the skill-vetter is an aid for your own judgment. Never blindly trust an automated result; if a skill feels suspicious, remove it.
- Scope: This tool does not provide permanent runtime protection; it is a pre-installation vetting protocol. Regularly audit your existing installed skills to ensure their behavior hasn't changed via remote updates.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-donovanpankratz-del-openclaw-skill-vetter": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read
Related Skills
cost-governor
Pre-flight cost estimation for subagent spawns and approval gates. Prevents API overspend and surprise billing. Budget control for sessions_spawn calls. Daily spend tracking. Essential for multi-agent OpenClaw deployments.
correction-memory
Makes agent corrections persistent and reusable. When you override, reject, or correct an agent's output, this skill logs the correction and automatically injects it into future spawns of the same agent type. Solves "agent keeps making the same mistake across sessions." Installs correction-tracker lib + injection hook into agent-context-loader. Works standalone or alongside intent-engineering skill.
workspace-organization
Automated workspace health checks and entropy prevention for OpenClaw. Detects broken symlinks, empty dirs, large files, malformed names. Maintenance audit script with cron support. Keeps deployments clean and structured.
Agent Stability Framework
Skill by donovanpankratz-del
subagent-architecture
Advanced patterns for specialized subagent orchestration with production-ready reference implementations. Security isolation, phased implementation, peer collaboration, and cost-aware spawning.