Skill Vetter
spclaudehome/skill-vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Security scan
Security ScanVirusTotalVirusTotalBenignView report →OpenClawOpenClawBenignhigh confidenceThe skill is an instruction-only vetting checklist that is internally consistent with its purpose and requests no credentials, installs, or unusual privileges.Details ▾✓Purpose & CapabilityName and description (skill vetting) match the SKILL.md: it provides a checklist and commands to inspect repos and files. It does not request unrelated credentials, binaries, or installs.ℹInstruction ScopeInstructions direct the agent to read and review all files of a candidate skill and to run GitHub API/raw content queries for GitHub-hosted skills. This is appropriate for vetting, but the instructions assume the agent may perform network calls and full file reads — ensure the agent is authorized to access those repos and that you intend that level of access.✓Install MechanismNo install spec and no code files — lowest-risk model. The provided quick-commands use curl/jq against GitHub; those are reasonable for repo inspection and do not introduce installation-time downloads or extracted archives.✓CredentialsThe skill requests no environment variables, credentials, or config paths. That is proportionate to a vetting/checklist skill.✓Persistence & Privilegealways is false and model invocation is allowed (platform default). The skill does not request persistent system presence or attempt to modify other skills or system-wide settings.AssessmentThis is a coherent, low-risk instruction-only vetting skill: it contains a sensible checklist and GitHub query examples and does not ask for secrets or installs. Before using it, remember: (1) vetting requires the agent to read candidate skill files and may perform network calls — confirm you want those permissions; (2) the checklist helps detect obvious red flags but does not guarantee detection of cleverly obfuscated or time-delayed malicious code, so for high-risk skills perform a human code review; (3) run the quick curl commands from a controlled environment (no privileged credentials in the shell) and avoid pasting sensitive tokens into outputs. If you want stronger guarantees, require manual human approval for skills classified as MEDIUM+ or tha…