agent-skills-tools
Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.
Why use this skill?
Protect your OpenClaw agents from security threats. Scan skill packages for credential leaks, dangerous file access, and compliance issues with agent-skills-tools.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/rongself/agent-skills-toolsWhat This Skill Does
The agent-skills-tools suite acts as a critical security layer for the OpenClaw ecosystem. Designed to protect agents from malicious code injection, this skill performs deep static analysis and historical scanning on any target skill package. By simulating an automated security reviewer, it identifies common vulnerabilities such as hardcoded API keys, dangerous file system calls to sensitive directories like ~/.ssh or ~/.aws, and potential data exfiltration via unauthorized network requests. It is the primary line of defense for maintainers and developers to ensure that the code they integrate into their agents adheres to industry-standard safety practices.
Installation
To integrate these security tools into your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/rongself/agent-skills-tools
Once installed, you can invoke the security audit script directly from your terminal or trigger it through an automated CI/CD pipeline script to audit new skill packages before deployment.
Use Cases
This tool is essential for three primary scenarios:
- Pre-installation Verification: Before adding a community-contributed skill, run the audit to ensure it doesn't contain hidden backdoors.
- Security Compliance: Organizations building internal tools can force all developers to pass this audit to ensure no secrets are accidentally committed to internal repositories.
- Historical Integrity Check: Use the git-history scanning features to ensure that previously removed sensitive keys aren't still lurking in the git commit logs of older skill versions.
Example Prompts
- "Run a full security audit on the new skill located at ./skills/my-new-tool to check for credential leaks or dangerous file system access."
- "Scan the repository at ./custom-skills/data-processor and verify if it follows best practices regarding environment variable usage."
- "Check if any of the recent updates in the plugin directory contain references to /home/user/.ssh or other private configuration files."
Tips & Limitations
For the best results, ensure your environment is configured for environment variables rather than hardcoded strings. While this tool is excellent for detecting common patterns, it is a static analyzer. It cannot predict complex obfuscated logic or logic bombs that trigger only under specific runtime conditions. Always exercise caution when installing third-party skills, and use this tool as part of a multi-layered security approach. Keep the tool updated to benefit from the latest detection rules against emerging threat vectors in the agent-skills ecosystem.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-rongself-agent-skills-tools": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read, code-execution