skillvet
Security scanner for ClawHub/community skills — detects malware, credential theft, exfiltration, prompt injection, obfuscation, homograph attacks, ANSI injection, campaign-specific attack patterns, and more before you install. Use when installing skills from ClawHub or any public marketplace, reviewing third-party agent skills for safety, or vetting untrusted code before giving it to your AI agent. Triggers: install skill, audit skill, check skill, vet skill, skill security, safe install, is this skill safe.
Why use this skill?
Secure your OpenClaw agent by scanning skills for malware, exfiltration, and prompt injection. Use Skillvet to audit ClawHub installations and stay safe.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/oakencore/skillvetWhat This Skill Does
Skillvet is the primary security defense mechanism for the OpenClaw ecosystem, acting as a rigorous auditing agent for third-party skills. It performs a deep inspection of skill source code to detect malicious patterns, vulnerabilities, and potential security threats. By running 48 critical security checks and 8 warning-level heuristics, it safeguards your agent against malware, credential theft, exfiltration attempts, prompt injection, and obfuscation. It relies on a dependency-free architecture utilizing bash and grep, ensuring high portability and low overhead. Skillvet incorporates advanced threat intelligence from industry leaders like Koi Security, Bitdefender, Snyk, and 1Password, specifically targeting known 'ClawHavoc' campaign signatures and ClickFix attack patterns. It is designed to act as a gatekeeper for any code originating from ClawHub or untrusted public repositories.
Installation
You can install the skill directly via the OpenClaw CLI using the following command:
clawhub install openclaw/skills/skills/oakencore/skillvet
Once installed, ensure the pre-commit hook is active to automate ongoing security checks during development by running:
ln -sf ../../scripts/pre-commit-hook .git/hooks/pre-commit
Use Cases
- Pre-Install Safety: Scan remote skills before they are even downloaded to your local environment.
- CI/CD Pipelines: Integrate security auditing into automated agent build pipelines using the
--jsonor--sarifflags. - Security Auditing: Periodically scan all installed skills to detect drift or unauthorized modifications.
- Vulnerability Patching: Use the
diff-scanutility to ensure that updates to existing skills do not introduce new security regressions.
Example Prompts
- "Check the skill I just downloaded from ClawHub at path skills/test-agent to see if it contains any obfuscated code or exfiltration patterns."
- "Perform a safe install of the 'web-browser' skill and automatically remove it if the audit reveals any critical security vulnerabilities."
- "Scan all current skills in my directory and provide a summary report of any detected warnings or critical issues."
Tips & Limitations
To minimize false positives, leverage the .skillvetrc file to disable specific checks that may conflict with legitimate non-malicious code patterns. For fine-grained control, use // skillvet-ignore inline comments to whitelist specific lines of code that you have manually verified as safe. Note that while Skillvet is highly effective at detecting known signatures and patterns, it cannot guarantee 100% protection against zero-day exploits. Always perform a manual code review for critical infrastructure skills.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-oakencore-skillvet": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution