Skill Guard v5.0
Install: clawhub install tommo-skill-guard
Security scanning for OpenClaw skills. Zero exec — read-only scanning via the built-in read tool.
Language
Detect from user's message language. Default: English.
Pre-Install Check
When user wants to install a skill, check BEFORE installing:
- Navigate to
https://clawhub.ai/skills/{slug}via browser - Snapshot and look for Security Scan section
- Report findings:
| Status | Meaning | Action |
|---|---|---|
| ✅ Clean | No flags | Proceed |
| ⚠️ Suspicious | Concerns found | Show findings, let user decide |
| 🔴 Malicious | AV flagged | Advise against install |
If browser unavailable: clawhub inspect {slug} for basic metadata.
Local Pattern Scan
Scan installed skill files for dangerous patterns using the read tool only — no exec, no shell, no injection risk.
read ./skills/{name}/SKILL.md- List additional files with
readif scripts/ or references/ exist - Search for patterns in the content:
| Pattern | Risk |
|---|---|
child_process, exec( | Shell command execution |
eval(, Function( | Dynamic code execution |
require('fs'), writeFile | File system access |
rm -rf, del /s | Destructive file operations |
curl.*password, token= | Credential exfiltration |
base64.decode | Hidden payloads |
HEARTBEAT.md, MEMORY.md | Writes to config files |
Report format:
Scan: {skill-name}
Files checked: {N}
🔴 [file:line] {pattern} — {risk description}
✅ No issues found
Integrity Check
Compare files by reading them and noting their content fingerprint (first/last lines + file size). No hashing exec needed — the read tool is sufficient for detecting file changes.
Baseline (user-initiated only):
- User says "baseline {skill}"
- Agent reads all files in
./skills/{name}/ - Saves file list + sizes + first/last lines to
memory/skill-guard/{name}-baseline.txt - Shows the baseline to user for review
Verify (user-initiated only):
- User says "integrity check {skill}"
- Agent reads current files and compares against saved baseline
- Reports any differences
Auto-baseline is disabled by design. New skills are never automatically trusted.
Quick Commands
| User says | Action |
|---|---|
| "check {skill}" | Pre-install ClawHub check |
| "scan {skill}" | Local pattern scan (via read) |
| "scan all" | Scan all installed skills |
| "integrity check {skill}" | Verify against saved baseline |
| "baseline {skill}" | Create baseline (manual only) |
Guidelines for Agent
- Use
readonly — never exec, never shell, no command injection possible - Validate skill names — only scan skills in
./skills/directory - Never auto-baseline — user must explicitly request
- Always show findings — never silently block or allow
- User decides — show risk, let user choose
What This Skill Does NOT Do
- Does NOT use exec, shell, or any subprocess execution
- Does NOT auto-baseline newly installed skills
- Does NOT block installations automatically
- Does NOT modify skill files
- Does NOT require Node, bash, curl, or any external tool
- Does NOT access credentials or private data
- Does NOT write files outside
memory/skill-guard/(explicit user request only)
More by TommoT2
- setup-doctor — Diagnose and fix OpenClaw setup issues
- context-brief — Persistent context survival across sessions
- skill-analytics — Monitor skill portfolio performance
Install the full suite:
clawhub install tommo-skill-guard setup-doctor context-brief skill-analytics