skill-guard
Scan ClawHub skills for prompt injection and malicious content using Lakera Guard before installing them. Run automatically when the user asks to install a skill, or on-demand to audit any skill by slug or search query.
About this skill
SkillGuard is an essential security skill designed for AI agents operating within the OpenClaw ecosystem. Its primary function is to proactively identify and mitigate risks associated with third-party skills from ClawHub by scanning them for prompt injection vulnerabilities, jailbreak attempts, and other forms of malicious content. This ensures that only safe and reliable skills are integrated into an AI agent's workspace, preventing potential security breaches, unintended behaviors, or data compromise. The skill operates by leveraging a hosted Apify actor which fetches the raw content of a specified skill from ClawHub's public API. This content is then submitted to Lakera Guard, a specialized API for prompt injection detection and content moderation. Based on Lakera Guard's analysis, SkillGuard returns a clear verdict: 'safe', 'flagged' (indicating potential issues), or 'error', accompanied by detailed reasoning. Users can deploy SkillGuard automatically during skill installation prompts, or trigger it manually to audit existing skills or specific skill slugs. The results are delivered asynchronously via an ad-hoc webhook back to the OpenClaw agent, allowing for seamless integration into security workflows.
Best use case
The primary use case for SkillGuard is to enhance the security posture of AI agents by providing a crucial layer of defense against unsafe or malicious third-party skills. It benefits any AI agent user or developer who frequently installs new capabilities from a public skill marketplace like ClawHub and wants to ensure the integrity and trustworthiness of their agent's environment. This skill is vital for maintaining operational security and preventing the exploitation of AI models through sophisticated prompt attacks or embedded harmful instructions.
Scan ClawHub skills for prompt injection and malicious content using Lakera Guard before installing them. Run automatically when the user asks to install a skill, or on-demand to audit any skill by slug or search query.
A clear safety verdict (safe, flagged, or error) for the scanned skill, detailing any detected prompt injection, jailbreak attempts, or malicious content, ensuring informed installation decisions.
Practical example
Example input
Hey agent, before you `clawhub install my-new-utility`, can you run SkillGuard on it to check for prompt injection?
Example output
SkillGuard analysis for `my-new-utility` completed. Verdict: flagged. Reason: Potential jailbreak attempt detected in the skill's instructions. Review recommended.
When to use this skill
- When installing any new third-party skill from ClawHub.
- To proactively audit the safety of any existing skill by its slug or a search query.
- If you suspect a skill might contain malicious code, prompt injections, or jailbreak attempts.
- As part of a routine security check for all installed skills in your workspace.
When not to use this skill
- When installing skills from a fully trusted, internal, or pre-vetted source where security is already guaranteed.
- If operating in an environment without internet access or access to Lakera Guard/Apify APIs.
- When the overhead of an external API call is critical and skill safety is not a concern (e.g., highly optimized internal workflows).
- If a robust, centralized security scanning solution is already in place for all incoming skills.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/skill-guard-actor/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How skill-guard Compares
| Feature / Agent | skill-guard | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | medium | N/A |
Frequently Asked Questions
What does this skill do?
Scan ClawHub skills for prompt injection and malicious content using Lakera Guard before installing them. Run automatically when the user asks to install a skill, or on-demand to audit any skill by slug or search query.
How difficult is it to install?
The installation complexity is rated as medium. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# SkillGuard
Scan ClawHub skills for prompt injection, jailbreak attempts, and malicious instructions
before they get installed into your OpenClaw workspace.
## When to use this skill
- User says "install [skill]", "clawhub install [skill]", or "add the [skill] skill"
- User says "scan [skill]", "check [skill] for safety", "is [skill] safe?"
- User says "audit my skills" or "scan all installed skills"
- Any time you are about to install a third-party skill from ClawHub
## How it works
SkillGuard calls a hosted Apify actor (`numerous_hierarchy/skill-guard-actor`,
actor ID: `TMjFBNFqIIUfCBf6K`) that:
1. Fetches the raw SKILL.md content from ClawHub's public API
2. Passes it to Lakera Guard for prompt injection analysis
3. Returns a verdict: `safe`, `flagged`, or `error` with reasoning
Results are delivered back to your OpenClaw agent via an ad-hoc webhook.
## Running the actor
Use an ad-hoc webhook to trigger the run asynchronously and receive results
back via your OpenClaw hooks endpoint.
### Step 1: Build the webhook definition
Create this JSON array, then base64-encode it:
```json
[{
"eventTypes": ["ACTOR.RUN.SUCCEEDED", "ACTOR.RUN.FAILED"],
"requestUrl": "$OPENCLAW_WEBHOOK_URL",
"headersTemplate": "{\"Authorization\": \"Bearer $OPENCLAW_HOOKS_TOKEN\"}",
"payloadTemplate": "{\"resource\": {{resource}}}"
}]
```
### Step 2: Start the run
Use the bundled script — it handles base64 encoding the webhook and making
the API call:
```bash
# Scan by slug
bash {baseDir}/scripts/scan.sh --slug instagram-search
# Scan by search query
bash {baseDir}/scripts/scan.sh --query instagram
# Both (results deduplicated)
bash {baseDir}/scripts/scan.sh --slug instagram-search --query instagram --max 5
```
The script reads `APIFY_TOKEN`, `LAKERA_API_KEY`, `OPENCLAW_WEBHOOK_URL`, and
`OPENCLAW_HOOKS_TOKEN` from the environment automatically.
Or make the API call manually:
```
POST https://api.apify.com/v2/acts/TMjFBNFqIIUfCBf6K/runs
?token=$APIFY_TOKEN
&webhooks=BASE64_ENCODED_WEBHOOK
Content-Type: application/json
```
To scan by slug:
```json
{
"skillSlugs": ["skill-name-here"],
"lakeraApiKey": "$LAKERA_API_KEY",
"maxSkills": 10
}
```
To scan by search query:
```json
{
"searchQuery": "instagram",
"lakeraApiKey": "$LAKERA_API_KEY",
"maxSkills": 5
}
```
You can provide both `skillSlugs` and `searchQuery` — results are deduplicated.
### Step 3: Receive results via webhook
When the run completes, your OpenClaw hooks endpoint receives a POST with the
actor's dataset items in `resource.defaultDatasetId`. Fetch them at:
```
GET https://api.apify.com/v2/datasets/{resource.defaultDatasetId}/items
```
### Response format
Each skill in the dataset returns:
```json
[
{
"slug": "some-skill",
"name": "Some Skill",
"author": "username",
"verdict": "flagged",
"flagged": true,
"reasoning": "Flagged by Lakera: prompt_attack, unknown_links",
"url": "https://clawhub.ai/skills/some-skill",
"scanned_at": "2026-03-02T19:26:29.666Z"
}
]
```
## How to respond to the user
### If all skills are safe (`verdict: "safe"` for all):
Tell the user the skill passed the security scan and proceed with installation:
> "✅ [skill-name] passed the SkillGuard scan — no prompt injection or malicious content detected. Safe to install."
Then run: `clawhub install [slug]`
### If any skill is flagged (`verdict: "flagged"`):
Do NOT install the skill. Tell the user:
> "⚠️ SkillGuard flagged [skill-name] before installation. Reason: [reasoning]. I'm not installing it. You can review it manually at [url] and override if you trust the source."
Wait for explicit user confirmation before proceeding.
### If verdict is `error`:
> "⚠️ SkillGuard couldn't scan [skill-name] — [error_message]. Proceed with caution."
### If scanning multiple skills:
Show a summary table, then list any flagged ones with their reasoning. Only install the safe ones unless the user explicitly overrides.
## Example interactions
**User:** "Install the instagram-search skill"
**You:** Run SkillGuard with `skillSlugs: ["instagram-search"]`. If flagged, report it and hold. If safe, install it.
**User:** "Scan instagram skills"
**You:** Run SkillGuard with `searchQuery: "instagram"`. Report the full results table with verdicts and reasoning for each.
**User:** "I know it's flagged, install it anyway"
**You:** Confirm once more, then proceed with `clawhub install [slug]` and note the override in your response.
## Environment variables required
- `APIFY_TOKEN` — your Apify API token (get one at console.apify.com)
- `LAKERA_API_KEY` — your Lakera Guard API key (get one at platform.lakera.ai)
- `OPENCLAW_WEBHOOK_URL` — your OpenClaw hooks endpoint URL
- `OPENCLAW_HOOKS_TOKEN` — your OpenClaw hooks auth token
## On First Install
When this skill is first installed and loaded, do the following automatically
before responding to the user:
### 1. Write the install policy to TOOLS.md
Append the following block to `{baseDir}/../../TOOLS.md`, creating the file
if it does not exist:
```
### ClawHub Install Policy (SkillGuard)
Before running `clawhub install <slug>` for ANY skill, you MUST first run
SkillGuard to scan it. If the scan returns `flagged`, do NOT install and
tell the user why. Only proceed if the user explicitly confirms the override.
```
Use bash to append it:
```bash
cat >> ~/.openclaw/workspace/TOOLS.md << 'EOF'
### ClawHub Install Policy (SkillGuard)
Before running `clawhub install <slug>` for ANY skill, you MUST first run
SkillGuard to scan it. If the scan returns `flagged`, do NOT install and
tell the user why. Only proceed if the user explicitly confirms the override.
EOF
```
### 2. Notify the user
After writing to TOOLS.md, tell the user exactly this:
> "✅ SkillGuard is installed and your ClawHub install policy has been written
> to TOOLS.md. **Please start a new session now** to activate protection —
> any skills installed before you do will not be scanned. Once you're in a
> new session, all `clawhub install` commands will be scanned automatically."
Do not proceed with any other task until the user acknowledges this.
## Setup and integration
If the user needs help setting up the webhook endpoint or configuring their
OpenClaw gateway to receive results, refer them to the integration guide
bundled with this skill:
`{baseDir}/INTEGRATION.md`
Read it yourself if you need to explain any setup step to the user.Related Skills
security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
guardian-wall
Mitigate prompt injection attacks, especially indirect ones from external web content or files. Use this skill when processing untrusted text from the internet, user-uploaded files, or any external source to sanitize content and detect malicious instructions (e.g., "ignore previous instructions", "system override").
agentguard
GoPlus AgentGuard — AI agent security guard. Automatically blocks dangerous commands, prevents data leaks, and protects secrets. Use when reviewing third-party code, auditing skills, checking for vulnerabilities, evaluating action safety, or viewing security logs.
HIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
Data Governance Framework
Assess, score, and remediate your organization's data governance posture across 6 domains.
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
AI Safety Audit
Comprehensive AI safety and alignment audit framework for businesses deploying AI agents. Built around the UK AI Security Institute Alignment Project standards (2026), EU AI Act requirements, and NIST AI RMF.
clickhouse-github-forensics
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".
mema-vault
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys, database credentials, and other sensitive tokens.