skill-vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Why use this skill?
Use the OpenClaw Skill Vetter to securely audit AI skills before installation. Detect red flags, verify permissions, and protect your agent's data from malicious code.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/spclaudehome/skill-vetterWhat This Skill Does
Skill Vetter is the primary security defense mechanism for the OpenClaw ecosystem. It is an automated auditing tool designed to inspect, analyze, and grade third-party AI skills before they are integrated into your agent's environment. By enforcing a rigorous, multi-step vetting protocol, Skill Vetter identifies malicious patterns, excessive permission requests, and suspicious code structures, ensuring that you only deploy trusted extensions to your agent.
Installation
To install the Skill Vetter, ensure you have the OpenClaw environment initialized. Run the following command in your agent's terminal:
clawhub install openclaw/skills/skills/spclaudehome/skill-vetter
Once installed, the tool acts as a pre-processing step for any new asset you consider adding to your local library.
Use Cases
- ClawdHub Verification: Use this before pulling any community-submitted plugin from the public repository.
- GitHub Auditing: Run this on external code repositories to detect obfuscated logic or unauthorized file system access.
- Agent Collaboration: If another agent suggests a skill, use this tool to ensure it does not attempt to access your sensitive
IDENTITY.mdorMEMORY.mdfiles. - Dependency Management: Use it to confirm that a skill's declared permissions match its stated functionality, preventing scope creep.
Example Prompts
- "I am thinking about installing 'Crypto-Trader-Bot' from GitHub. Can you run skill-vetter on the repo URL and give me a risk assessment?"
- "Please audit the files in './downloads/new-plugin' using the skill-vetter protocol. I want to know if it attempts to make network calls to any unknown IP addresses."
- "Vetter report, please. I just downloaded a web-scraper plugin. Let me know if it requests read access to my local SSH keys or configuration files."
Tips & Limitations
- Never Skip Step 2: The code review is mandatory. While the tool helps highlight red flags, your oversight is the final line of defense.
- Stay Updated: Always ensure your skill-vetter definitions are current, as new obfuscation techniques are constantly emerging.
- Contextual Awareness: The tool provides a 'Risk Classification' based on objective findings; however, always manually evaluate the 'Extreme' risk cases by seeking human authorization before proceeding.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-spclaudehome-skill-vetter": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: file-read
Related Skills
crabnet
Interact with the CrabNet cross-agent collaboration registry. Use when discovering other agents' capabilities, registering your own capabilities, posting tasks for other agents, claiming/delivering work, or searching for agents who can help with specific skills. Enables agent-to-agent collaboration and task exchange.
aws-security-scanner
Scan AWS accounts for security misconfigurations and vulnerabilities. Use when user asks to audit AWS security, check for misconfigurations, find exposed S3 buckets, review IAM policies, check security groups, audit CloudTrail, or run AWS security checks. Covers S3, IAM, EC2, RDS, CloudTrail, and common CIS benchmarks.
slack-power-tools
Advanced Slack automation beyond basic messaging. Use when user needs to manage channels (create, archive, invite users), schedule messages, upload files, search workspace, manage user groups, set status/DND, get analytics, or automate Slack workflows. Covers channel ops, user management, scheduled messages, file uploads, search, and workspace analytics.