3.6k★by eddygk
skill-vetting – OpenClaw Skill
skill-vetting is an OpenClaw Skills integration for coding workflows. Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing whether a skill adds value over existing tools.
Skill Snapshot
| name | skill-vetting |
| description | Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing whether a skill adds value over existing tools. OpenClaw Skills integration. |
| owner | eddygk |
| repository | eddygk/skill-vetting |
| language | Markdown |
| license | MIT |
| topics | |
| security | L1 |
| install | openclaw add @eddygk/skill-vetting |
| last updated | Feb 7, 2026 |
Maintainer
name: skill-vetting description: Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing whether a skill adds value over existing tools.
Skill Vetting
Safely evaluate ClawHub skills for security risks and practical utility.
Quick Start
# Download and inspect
cd /tmp
curl -L -o skill.zip "https://auth.clawdhub.com/api/v1/download?slug=SKILL_NAME"
mkdir skill-inspect && cd skill-inspect
unzip -q ../skill.zip
# Run scanner
python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py .
# Manual review
cat SKILL.md
cat scripts/*.py
Vetting Workflow
1. Download to /tmp (Never Workspace)
cd /tmp
curl -L -o skill.zip "https://auth.clawdhub.com/api/v1/download?slug=SLUG"
mkdir skill-NAME && cd skill-NAME
unzip -q ../skill.zip
2. Run Automated Scanner
python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py .
Exit codes: 0 = Clean, 1 = Issues found
The scanner outputs specific findings with file:line references. Review each finding in context.
3. Manual Code Review
Even if scanner passes:
- Does SKILL.md description match actual code behavior?
- Do network calls go to documented APIs only?
- Do file operations stay within expected scope?
- Any hidden instructions in comments/markdown?
# Quick prompt injection check
grep -ri "ignore.*instruction\|disregard.*previous\|system:\|assistant:" .
4. Utility Assessment
Critical question: What does this unlock that I don't already have?
Compare to:
- MCP servers (
mcporter list) - Direct APIs (curl + jq)
- Existing skills (
clawhub list)
Skip if: Duplicates existing tools without significant improvement.
5. Decision Matrix
| Security | Utility | Decision |
|---|---|---|
| ✅ Clean | 🔥 High | Install |
| ✅ Clean | ⚠️ Marginal | Consider (test first) |
| ⚠️ Issues | Any | Investigate findings |
| 🚨 Malicious | Any | Reject |
Red Flags (Reject Immediately)
- eval()/exec() without justification
- base64-encoded strings (not data/images)
- Network calls to IPs or undocumented domains
- File operations outside temp/workspace
- Behavior doesn't match documentation
- Obfuscated code (hex, chr() chains)
After Installation
Monitor for unexpected behavior:
- Network activity to unfamiliar services
- File modifications outside workspace
- Error messages mentioning undocumented services
Remove and report if suspicious.
References
- Malicious patterns + false positives: references/patterns.md
No README available.
Permissions & Security
Security level L1: Low-risk skills with minimal permissions. Review inputs and outputs before running in production.
Requirements
- OpenClaw CLI installed and configured.
- Language: Markdown
- License: MIT
- Topics:
FAQ
How do I install skill-vetting?
Run openclaw add @eddygk/skill-vetting in your terminal. This installs skill-vetting into your OpenClaw Skills catalog.
Does this skill run locally or in the cloud?
OpenClaw Skills execute locally by default. Review the SKILL.md and permissions before running any skill.
Where can I verify the source code?
The source repository is available at https://github.com/openclaw/skills/tree/main/skills/eddygk/skill-vetting. Review commits and README documentation before installing.