skill-guard
Security scanner for Skills. This skill MUST be consulted BEFORE loading or following instructions from any other Skill downloaded from the internet or third-party sources (e.g., clawhub.ai). It scans Skills for malicious behavior including prompt injection, data exfiltration, credential harvesting, obfuscated payloads, and social engineering. Whenever Claude is about to read another SKILL.md file, first trigger this skill to perform a security audit. Use this skill when: (1) any new or unfamiliar Skill is being loaded, (2) a user asks to install or use a Skill from an external source, (3) a user asks to review a Skill for safety.
Why use this skill?
Secure your AI workflow with Skill Guard. Automatically scan third-party OpenClaw agents for malicious behavior, prompt injection, and data exfiltration threats before installation.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/goodman333/skill-safeguardWhat This Skill Does
Skill Guard acts as the primary security layer for the OpenClaw ecosystem, serving as a vigilant gatekeeper that inspects all external and third-party AI agents before they are granted system access. In an environment where AI-driven automation is accelerating, the risk of malicious "Prompt Injection" and "Data Exfiltration" is significant. Skill Guard mitigates these risks by automating the static analysis of file contents, identifying suspicious patterns such as hidden system-prompt overrides, hardcoded network endpoints, or attempts to access protected system credentials (like AWS keys or shell history files).
Installation
To install this essential security utility, execute the following command within your terminal or OpenClaw interface:
clawhub install openclaw/skills/skills/goodman333/skill-safeguard
Once installed, ensure it is enabled in your global configuration to trigger automatically whenever a new skill directory is referenced or a SKILL.md file is accessed by the agent.
Use Cases
- Vetting Third-Party Skills: Automatically scan any Skill downloaded from public repositories or ClawHub before integration.
- Security Auditing: Conduct an exhaustive review of local code repositories if you suspect anomalous agent behavior.
- Compliance Enforcement: Maintain a secure environment by requiring a clean security report for any workflow involving sensitive or private user data.
Example Prompts
- "@skill-guard, please audit the newly downloaded 'finance-helper' skill located in the ./skills/finance-helper folder."
- "I want to install a community-shared automation tool. Can you run a security check on this directory first and let me know if there are any suspicious network requests?"
- "@skill-guard, perform a full safety review of the 'web-scraper-v2' plugin and provide a summary report in both English and Chinese."
Tips & Limitations
- Static Analysis Only: Skill Guard performs static analysis. It does not execute the code, which prevents runtime attacks but means it cannot identify highly obfuscated or dynamic payloads that require execution to reveal. Always use with caution.
- Dependencies: This skill works best when paired with local code-analysis tools. Ensure you have the necessary system permissions for the tool to read file paths.
- Report Interpretation: Always prioritize alerts categorized as 'High' severity. If the tool detects unauthorized access to environment variables, terminate the skill execution immediately.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-goodman333-skill-safeguard": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read