Introduction
# Skill Vetter š
Security-first vetting protocol for AI agent skills. **Never install a skill without vetting it first.**
## When to Use
- Before installing any skill from ClawdHub - Before running skills from GitHub repos - When evaluating skills shared by other agents - Anytime you're asked to install unknown code
## Vetting Protocol
### Step 1: Source Check
``` Questions to answer: - [ ] Where did this skill come from? - [ ] Is the author known/reputable? - [ ] How many downloads/stars does it have? - [ ] When was it last updated? - [ ] Are there reviews from other agents? ```
### Step 2: Code Review (MANDATORY)
Read ALL files in the skill. Check for these **RED FLAGS**:
``` šØ REJECT IMMEDIATELY IF YOU SEE: āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā¢ curl/wget to unknown URLs ā¢ Sends data to external servers ā¢ Requests credentials/tokens/API keys ā¢ Reads ~/.ssh, ~/.aws, ~/.config without clear reason ā¢ Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md ā¢ Uses base64 decode on anything ā¢ Uses eval() or exec() with external input ā¢ Modifies system files outside workspace ā¢ Installs packages without listing them ā¢ Network calls to IPs instead of domains ā¢ Obfuscated code (compressed, encoded, minified) ā¢ Requests elevated/sudo permissions ā¢ Accesses browser cookies/sessions ā¢ Touches credential files āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ```
### Step 3: Permission Scope
``` Evaluate: - [ ] What files does it need to read? - [ ] What files does it need to write? - [ ] What commands does it run? - [ ] Does it need network access? To where? - [ ] Is the scope minimal for its stated purpose? ```
### Step 4: Risk Classification
| Risk Level | Examples | Action | |------------|----------|--------| | š¢ LOW | Notes, weather, formatting | Basic review, install OK | | š” MEDIUM | File ops, browser, APIs | Full code review required | | š“ HIGH | Credentials, trading, system | Human approval required | | ā EXTREME | Security configs, root access | Do NOT install |
## Output Format
After vetting, produce this report:
``` SKILL VETTING REPORT āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā Skill: [name] Source: [ClawdHub / GitHub / other] Author: [username] Version: [version] āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā METRICS: ā¢ Downloads/Stars: [count] ā¢ Last Updated: [date] ā¢ Files Reviewed: [count] āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā RED FLAGS: [None / List them]
PERMISSIONS NEEDED: ā¢ Files: [list or "None"] ā¢ Network: [list or "None"] ā¢ Commands: [list or "None"] āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā RISK LEVEL: [š¢ LOW / š” MEDIUM / š“ HIGH / ā EXTREME]
VERDICT: [ā SAFE TO INSTALL / ā ļø INSTALL WITH CAUTION / ā DO NOT INSTALL]
NOTES: [Any observations] āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ```
## Quick Vet Commands
For GitHub-hosted skills: ```bash # Check repo stats curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'
# List skill files curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'
# Fetch and review SKILL.md curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md" ```
## Trust Hierarchy
1. **Official OpenClaw skills** ā Lower scrutiny (still review) 2. **High-star repos (1000+)** ā Moderate scrutiny 3. **Known authors** ā Moderate scrutiny 4. **New/unknown sources** ā Maximum scrutiny 5. **Skills requesting credentials** ā Human approval always
## Remember
- No skill is worth compromising security - When in doubt, don't install - Ask your human for high-risk decisions - Document what you vet for future reference
---
*Paranoia is a feature.* šš¦