ClawKit Logo
ClawKitReliability Toolkit
Back to Registry
Official Verified developer tools Safety 5/5

vet-repo

Scan repository agent configuration files for known malicious patterns

Why use this skill?

Secure your AI agent configurations by scanning for malicious patterns in .claude and .mcp.json files with the open-source vet-repo tool.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/itsnishi/vet-repo
Or

What This Skill Does

The vet-repo skill serves as a critical security auditing tool for developers working within AI-augmented environments. It specifically targets the configuration files used by agentic frameworks like Claude and MCP (Model Context Protocol). By scanning directories such as .claude/ and individual configuration files like .mcp.json, the tool identifies potential security vulnerabilities before they can be executed by an AI agent. It looks for common patterns of malicious intent, such as hidden persistence triggers, unauthorized curl/bash commands embedded in instruction sets, and risky environment variable expansions. The output is a structured security report that categorizes risks by severity, allowing users to make informed decisions about whether to trust a repository's automated agent behaviors.

Installation

To integrate vet-repo into your OpenClaw environment, ensure your workspace has the necessary Python 3 dependencies installed. You can add the skill directly from the repository by running the following command in your terminal:

clawhub install openclaw/skills/skills/itsnishi/vet-repo

Once installed, the script becomes available for immediate use across any local project directory you specify.

Use Cases

  • Security Auditing: When onboarding a new project or cloning a repository from an untrusted source, use this skill to check for embedded prompts or hooks that could lead to unauthorized command execution.
  • CI/CD Pipelines: Integrate this as a pre-check step in your automation workflows to ensure that updated agent configurations haven't introduced malicious logic.
  • Risk Mitigation: Use it after pulling collaborative changes to the .claude/ directory to ensure team members haven't inadvertently introduced high-risk persistence triggers.

Example Prompts

  1. "vet-repo run scan on the current project directory and show me if there are any critical configuration risks."
  2. "Perform a security audit using vet-repo on this repository and output the results in a clear list of actionable steps."
  3. "Check for malicious patterns in the .claude and .mcp.json files using the vet-repo skill and tell me if it's safe to enable auto-approve for this repo."

Tips & Limitations

  • Context Awareness: This tool focuses exclusively on configuration files. It does not perform a deep static analysis of your actual source code. Always use it alongside standard vulnerability scanners.
  • Frequency: Make it a habit to run this scan every time the .claude/ directory is updated via a git pull.
  • False Positives: Complex environment variables might occasionally trigger a warning; review the 'INFO' level findings manually to verify if the flagged configuration is intentional and safe for your specific project infrastructure.
Read Full Documentation on GitHub

Metadata

Author@itsnishi
Stars2190
Views1
Updated2026-03-07
View Author Profile
AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill
Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-itsnishi-vet-repo": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Tags(AI)

#security#audit#compliance#automation#risk-assessment
Safety Score: 5/5

Flags: file-read, code-execution

Related Skills

audit-code

Security-focused code review for hardcoded secrets, dangerous calls, and common vulnerabilities

itsnishi 2190

scan-skill

Deep security analysis of an individual skill before installation

itsnishi 2190