skill-vetterlisted

Multi-scanner security gate. TRIGGER when: user mentions installing, adding, or reviewing a skill to Claude Code, OpenClaw, or any other AI agent. Detects malicious code, vulnerabilities, and suspicious patterns.
app-incubator-xyz/skill-vetter · ★ 32 · AI & Automation · score 62

Install: claude install-skill app-incubator-xyz/skill-vetter

# Skill Vetter Security gate that runs multiple scanners against a skill before installation. ## When to Use Use before installing **ANY** skill to Claude Code, OpenClaw, or your other favorite AI agent — whether from ClawHub, GitHub, or any external source. Ask the user: "Should I run skill-vetter on this before installing?" whenever they mention installing a new skill. ## How to Run ### Check dependencies first ```bash bash {baseDir}/scripts/check-deps.sh ``` Fix any missing dependencies before proceeding. ### Run the full scan ```bash bash {baseDir}/scripts/vett.sh "<skill-name-or-path>" ``` The argument can be: - A ClawHub skill name: `youtube-summarize` - A GitHub URL: `https://github.com/user/repo` - A local path: `/tmp/my-skill/` ## Interpret Results | Verdict | Meaning | Action | |---------|---------|--------| | **BLOCKED** | CRITICAL or HIGH findings | Do NOT install. Show findings. | | **REVIEW** | Medium severity findings | Show findings, ask user to decide. | | **SAFE** | All scanners passed | Proceed with installation. | ## After Verdict Always show the user: 1. Which scanners ran 2. Which passed/failed 3. Specific findings for anything flagged 4. Your recommendation **Never install the skill automatically.** Always confirm with the user after showing results. ## Scanners Used | Scanner | What It Checks | |---------|---------------| | aguara | Prompt injection, obfuscation, suspicious LLM calls | | skill-analyzer | Known malicious patterns, CVE