skillgate-gov
Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/liyecom/skillgate-govSkillGate (Governance)
This skill teaches OpenClaw how to run SkillGate against a skills directory, generate evidence, and quarantine risky skills.
Quick Start (recommended)
We intentionally avoid global installs (
npm i -g) to reduce supply-chain risk. Use a pinned version vianpxfor deterministic behavior.
# Scan current workspace (read-only by default)
npx --yes @skillgate/[email protected] gov_scan .
# Show a human-readable explanation for a finding
npx --yes @skillgate/[email protected] gov_explain <EVIDENCE_JSON_PATH>
Provenance / How to verify what you run
# Verify package metadata
npm view @skillgate/[email protected] name version license repository
npm view @skillgate/[email protected] dist.tarball dist.integrity
# Optional: verify GitHub release & source
# Repo: https://github.com/skillgatesecurity/openclaw-skillgate
This package is published under the official @skillgate scope and built/released via GitHub Actions.
Permissions & Filesystem scope
- Network: not required for scanning local files (except fetching the npm package on first run).
- Default mode: read-only scan of the given directory.
- Writes (only when you explicitly run quarantine/restore commands):
- creates/updates evidence outputs under a local folder (e.g.
.skillgate/or the specified output path) - may quarantine a skill by moving/marking files within the target directory you pass in
- creates/updates evidence outputs under a local folder (e.g.
It does not require secrets (no tokens/keys) and does not modify system-wide settings.
OpenClaw Plugin Commands
Once loaded as an OpenClaw plugin, these slash commands become available:
# scan all skills for risks (default: HIGH+)
/gov scan
# scan with all findings including LOW/INFO
/gov scan --all
# quarantine a specific skill
/gov quarantine <skillKey>
# restore a quarantined skill
/gov restore <skillKey>
# explain why a skill was flagged
/gov explain <skillKey>
# show governance status
/gov status
Risk Levels
| Level | Auto Action | Description |
|---|---|---|
| CRITICAL | Quarantine | Shell injection, supply-chain attacks |
| HIGH | Disable | Dangerous patterns, external downloads |
| MEDIUM | Warn | Risky but not immediately dangerous |
| LOW/INFO | Log | Informational only |
Local Development (optional)
If you prefer a local dependency instead of npx:
npm i -D @skillgate/[email protected]
npx gov_scan .
Notes
Use this as the standard operating procedure for Skill supply-chain reviews.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-liyecom-skillgate-gov": {
"enabled": true,
"auto_update": true
}
}
}