pincer
Security-first wrapper for installing agent skills. Scans for malware, prompt injection, and suspicious patterns before installation. Use instead of `clawhub install` for safer skill management.
Why use this skill?
Safely install OpenClaw skills with pincer. Scan for malware, prompt injection, and suspicious patterns before executing code. Protect your AI agent environment.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/panzacoder/pincerWhat This Skill Does
pincer is a critical security wrapper for the OpenClaw ecosystem, designed to intercept and validate agent skills before they are installed or executed. It functions as a gatekeeper, performing deep inspection of skill source code and metadata to identify malicious behavior, such as prompt injection, hard-coded secrets, or suspicious shell command patterns. By replacing standard installation methods with pincer, users add a vital layer of defense against software supply chain attacks common in evolving AI agent hubs.
Installation
To install pincer, first ensure you have the required dependencies: clawhub, uvx (for running the scan engine), and jq. You can install the tool directly from the hub using clawhub install pincer. For manual installation, clone the repository, run chmod +x ./scripts/pincer.sh, and create a symbolic link in your local binary path: ln -sf "$(pwd)/scripts/pincer.sh" ~/.local/bin/pincer. Once installed, pincer acts as your primary interface for all skill-related lifecycle management.
Use Cases
Use pincer whenever you intend to add new agent capabilities to your environment. It is particularly valuable for developers who frequently test third-party open-source skills from public repositories where code could be obfuscated or compromised. Security-conscious users can utilize the audit feature to perform periodic deep scans of their existing installed skill-set, identifying dormant threats or misconfigurations. Additionally, the 'trust' management system allows you to build a personalized, vetted list of publishers, enabling automated workflows while maintaining high safety standards.
Example Prompts
- "pincer install [email protected] and perform a deep scan for any embedded shell scripts or hard-coded API keys."
- "I am suspicious of a recently installed tool; please run a full audit of all installed skills and provide the output in JSON format so I can review the findings."
- "Add the developer 'trusted-org' to my whitelist and remove the 'experimental-dev' publisher from my trust list immediately."
Tips & Limitations
pincer excels at detecting known malicious patterns like Base64-encoded payloads and Gatekeeper bypasses, but it is not a silver bullet. AI-driven prompt injection can be highly nuanced and sometimes bypass static analysis; always manually inspect any skill that performs sensitive file operations. Use the pincer config command to tune the strictness of your security threshold. Ensure that your uvx and clawhub binaries are regularly updated, as the security database depends on these underlying components for the most current threat intelligence.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-panzacoder-pincer": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, file-write, code-execution