Intercepts all skill install/download requests. MUST be used before installing/downloading any skill from ClawdHub, GitHub, 百度 AppBuilder 平台, or other source...
Security Analysis
medium confidenceThe skill's code and instructions match its stated purpose (querying a remote security API before installing skills) but it enforces a very broad interception policy and contacts an external API (skill-sec.baidu.com) without describing what data is sent — this could leak skill metadata or local files when used as instructed.
Name/description claim to intercept skill installs and run a security check; included scripts (check.sh, check.py, check.js) implement an API query workflow to a remote endpoint (https://skill-sec.baidu.com). The requested capabilities (query by slug/version, scan installed skill directories) are consistent with a 'guard' skill. However, the skill mandates interception of all install-related intents across all languages, which is broader than many guard utilities would require.
SKILL.md mandates the agent must stop installs and run the included check.sh script, copy the API's report_text verbatim, and automatically proceed on 'safe' results. The instructions call for scanning local skill directories (--file /path/to/skills) and batch scans, which implies the script will read local files (and at minimum compute hashes). The SKILL.md gives the remote script authority to decide install flow (automatic proceed on 'safe'), and forces use of the remote-provided report verbatim — both are scope/decision controls that elevate the remote service's influence over local installs. The documentation does not clearly describe exactly what data is transmitted to the remote API (slug/version only, hashes, or file contents), leaving a potential for unintended data exfiltration.
There is no network-based install spec; the skill is instruction-only with bundled scripts. No external archive downloads or executable installers are pulled at install time. The risk comes from the bundled scripts performing outbound network requests at runtime rather than from an install mechanism that fetches arbitrary code.
The skill does not request environment variables or credentials and does not require binaries. That matches the stated purpose. However, the scripts call a remote API (skill-sec.baidu.com). The manifest does not declare the network endpoint or a privacy policy, and the SKILL.md does not specify exactly which local data will be sent when scanning a directory (slug/version/hash vs full file upload), so the level of data access is not fully described.
always is false and the skill is user-invocable. The SKILL.md intends the skill to be triggered automatically on any install/scan intent (very broad trigger patterns). Autonomous invocation plus outbound network queries means it could be called frequently and send metadata to the external API — that combination increases blast radius but is not in itself a policy violation under the platform defaults.
Guidance
This skill appears to implement a legitimate 'pre-install security check' by calling an external API (https://skill-sec.baidu.com). Before installing or enabling it, consider the following: - Verify the remote API and owner: the registry metadata shows no homepage and an unknown owner; confirm that skill-sec.baidu.com and the package owner are trustworthy (this looks like a Baidu domain but you should confirm). - Confirm what data is sent: test the scripts locally (run check.sh with --slug only) and monitor outbound requests to see whether the script sends only slug/version/hashes or whether it uploads file contents when using --file. If you must scan local skill directories, prefer a mode that sends only non-sensitive metadata/hashes. - Review the code fully: the included Python/Node scripts are the runtime behavior — review the remainder of the code (truncated portions) to ensure there is no hidden upload of full files or other surprising behavior. - Watch automated decisions: the protocol instructs the agent to proceed automatically on a 'safe' bd_confidence. Decide whether you want automatic installs or prefer manual confirmation even for 'safe' results. - Least privilege: if you use it, run scans with explicit slug/version first and only use directory-scan modes when absolutely necessary and after confirming what will be transmitted. If you cannot validate the remote service or the exact data flow, treat this skill as untrusted and do not enable automatic, system-wide interception of install intents.
Latest Release
v1.0.9
**Skill Guard 1.0.9 introduces stricter security and reporting rules.** - Now strictly requires displaying the exact pre-formatted `report_text` from script output; never generate your own security report. - Clarifies that install/download interception must trigger on both skill install and download requests. - Removes the prior URL-based install scenario for security checks; skill checks are by slug or installed directory. - Enhanced reporting and decision process is now fully driven by structured JSON output fields (`bd_confidence`, `final_verdict`, etc.). - Updated instructions and language to emphasize stricter protocol and compliance, especially regarding report handling.
Popular Skills
Published by @jenics on ClawHub
