skill-guard

Review·Scanned 2/18/2026

skill-guard stages and scans ClawHub skills before installing using ./scripts/safe-install.sh, clawhub install, and uvx mcp-scan@latest, and installs into ~/.openclaw/workspace/skills. The content executes shell commands and performs network fetches (e.g., clawhub install, uvx mcp-scan@latest, curl https://astral.sh/uv/install.sh), which is purpose-aligned.

from clawhub.ai·v107c72c·9.9 KB·0 installs
Scanned from 1.0.2 at 107c72c · Transparency log ↗
$ vett add clawhub.ai/jamesouttake/skill-guardReview findings below

skill-guard

The only pre-install security gate for ClawHub skills.

Why skill-guard?

VirusTotal (ClawHub built-in)skillscanner (Gen Digital)skill-guard
When it runsAfter publish (server-side)On-demand lookupBefore install (client-side)
What it checksMalware signaturesTheir databaseActual skill content
Prompt injections
Data exfiltration URLs
Hidden instructions
AI-specific threats
Install blocking

VirusTotal catches known malware binaries — but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->.

skillscanner checks if Gen Digital has reviewed it — but can't scan new or updated skills.

skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.

The Problem

Skills can contain:

  • 🎭 Prompt injections — hidden "ignore previous instructions" attacks
  • 💀 Malware payloads — dangerous commands disguised in natural language
  • 🔑 Hardcoded secrets — API keys, tokens in plain text
  • 📤 Data exfiltration — URLs that leak your conversations, memory, files
  • ⛓️ Toxic flows — instructions that chain into harmful actions

One bad skill = compromised agent. Your agent trusts skills implicitly.

The Solution

# Instead of: clawhub install some-skill
./scripts/safe-install.sh some-skill

skill-guard:

  1. Downloads to staging (/tmp/) — never touches your real skills folder
  2. Scans with mcp-scan — Invariant/Snyk's security scanner for AI agents
  3. Blocks or installs — clean skills get installed, threats get quarantined

What It Catches

Real example — skill-guard flagged this malicious skill:

● [E004]: Prompt injection detected (high risk)
● [E006]: Malicious code pattern detected  
● [W007]: Insecure credential handling
● [W008]: Machine state compromise attempt
● [W011]: Third-party content exposure

VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.

Usage

# Secure install (recommended)
./scripts/safe-install.sh <skill-slug>

# With version
./scripts/safe-install.sh <skill-slug> --version 1.2.3

# Force overwrite
./scripts/safe-install.sh <skill-slug> --force

Exit Codes

CodeMeaningAction
0CleanSkill installed ✓
1ErrorCheck dependencies/network
2Threats foundSkill quarantined in /tmp/, review before deciding

When Threats Are Found

Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:

  1. Review — read the scan output, inspect the files
  2. Install anywaymv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/
  3. Discardrm -rf /tmp/skill-guard-staging/

Requirements

  • clawhub CLI — npm i -g clawhub
  • uvcurl -LsSf https://astral.sh/uv/install.sh | sh

Why This Matters

Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:

  • Read your secrets and send them elsewhere
  • Modify your agent's behavior permanently
  • Use your identity to spread to other systems

Trust, but verify. Scan before you install.