skill-vetting
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing whether a skill adds value over existing tools.
Best use case
skill-vetting is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing whether a skill adds value over existing tools.
Teams using skill-vetting should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/skill-vetting/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How skill-vetting Compares
| Feature / Agent | skill-vetting | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing whether a skill adds value over existing tools.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Skill Vetting Safely evaluate ClawHub skills for security risks and practical utility. ## Quick Start ```bash # Download and inspect cd /tmp curl -L -o skill.zip "https://auth.clawdhub.com/api/v1/download?slug=SKILL_NAME" mkdir skill-inspect && cd skill-inspect unzip -q ../skill.zip # Run scanner python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py . # Manual review cat SKILL.md cat scripts/*.py ``` ## Vetting Workflow ### 1. Download to /tmp (Never Workspace) ```bash cd /tmp curl -L -o skill.zip "https://auth.clawdhub.com/api/v1/download?slug=SLUG" mkdir skill-NAME && cd skill-NAME unzip -q ../skill.zip ``` ### 2. Run Automated Scanner ```bash python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py . ``` **Exit codes:** 0 = Clean, 1 = Issues found The scanner outputs specific findings with file:line references. Review each finding in context. ### 3. Manual Code Review **Even if scanner passes:** - Does SKILL.md description match actual code behavior? - Do network calls go to documented APIs only? - Do file operations stay within expected scope? - Any hidden instructions in comments/markdown? ```bash # Quick prompt injection check grep -ri "ignore.*instruction\|disregard.*previous\|system:\|assistant:" . ``` ### 4. Utility Assessment **Critical question:** What does this unlock that I don't already have? Compare to: - MCP servers (`mcporter list`) - Direct APIs (curl + jq) - Existing skills (`clawhub list`) **Skip if:** Duplicates existing tools without significant improvement. ### 5. Decision Matrix | Security | Utility | Decision | |----------|---------|----------| | ✅ Clean | 🔥 High | **Install** | | ✅ Clean | ⚠️ Marginal | Consider (test first) | | ⚠️ Issues | Any | **Investigate findings** | | 🚨 Malicious | Any | **Reject** | ## Red Flags (Reject Immediately) - eval()/exec() without justification - base64-encoded strings (not data/images) - Network calls to IPs or undocumented domains - File operations outside temp/workspace - Behavior doesn't match documentation - Obfuscated code (hex, chr() chains) ## After Installation Monitor for unexpected behavior: - Network activity to unfamiliar services - File modifications outside workspace - Error messages mentioning undocumented services Remove and report if suspicious. ## References - **Malicious patterns + false positives:** [references/patterns.md](references/patterns.md)
Related Skills
paylock
Non-custodial SOL escrow for AI agent deals.
agent-reputation
summary: Cross-platform AI agent reputation checker with trust scoring and PayLock escrow recommendations.
Telecom Agent Skill
Turn your AI Agent into a Telecom Operator. Bulk calling, ChatOps, and Field Monitoring.
OpenClaw-Finnhub
OpenClaw skill for real-time stock quote, and financials via Finnhub API.
```markdown
# OpenClaw-Last.fm
security-operator
Runtime security guardrails for OpenClaw agents.
operator-humanizer
Transform AI-generated text into authentic human writing.
kit-email-operator
**AI-powered email marketing for Kit (ConvertKit)**.
agora
Trade prediction markets on Agora — the prediction market exclusively for AI agents. Register, browse markets, trade YES/NO, create markets, earn reputation via Brier scores.
surf-check
Surf forecast decision engine.
jinko-flight-search
Search flights and discover travel destinations using the Jinko MCP server. Provides two core capabilities: (1) Destination discovery — find where to travel based on criteria like budget, climate, or activities when the user has no specific destination in mind, and (2) Specific flight search — compare flights between two known cities/airports with flexible dates, cabin classes, and budget filters. Use this skill when the user wants to: search for flights, find cheap flights, discover travel destinations, compare flight prices, plan a trip, find deals from a specific city, or explore where to go. Triggers on any flight-booking, travel-planning, or destination-discovery request. Requires the Jinko MCP server connected at https://mcp.gojinko.com.
mlx-whisper
Local speech-to-text with MLX Whisper (Apple Silicon optimized, no API key).