Security vetting protocol before installing any AI agent skill. Red flag detection for credential theft, obfuscated code, exfiltration. Risk classification L...
Security Analysis
high confidenceThe skill's requirements and runtime instructions are consistent with a pre-install vetting tool and do not request unrelated credentials or unexpected installs.
Name/description (pre-install vetting) align with what the skill requires: only curl and jq for GitHub/HTTP checks. No credentials, no unusual binaries or filesystem paths are requested.
SKILL.md instructs the agent to inspect a skill's files, repo metadata, and make network queries to GitHub or ClawHub—these actions are coherent with vetting. One minor ambiguity: 'Read ALL files in the skill' should be interpreted as files in the downloaded skill workspace, not arbitrary system files; the docs largely imply workspace-scoped checks. The Quick Vet Commands suggest running 'clawhub install' into a temp dir—be cautious because some package/install tooling can run install hooks even during install.
This is instruction-only with no install spec or archives to download. That minimizes on-disk/automatic execution risk. Required binaries (curl, jq) are standard and proportional.
No environment variables or credentials are requested. The skill's checks explicitly flag access to ~/.ssh, ~/.aws, browser cookies, etc., as red flags rather than asking for them.
always is false and the skill does not request persistent system presence or elevated privileges. It does not modify other skills' configurations.
Guidance
This skill is an instruction-only vetting checklist that uses curl/jq to inspect repos and produce reports — its declared requirements match its purpose. Before using it: (1) ensure the agent confines its file reads to the skill workspace (not your home dir), (2) avoid running package manager install hooks when downloading code (download raw archives or clone the repo rather than executing installers), and (3) remember automated vetting can't catch every malicious behavior — follow the checklist and do a manual review for anything that looks suspicious (network calls, encoded payloads, or surprising install scripts).
Latest Release
v1.0.0
Initial release of skill-vetter: protocol for securely vetting AI agent skills before installation. - Introduces structured security vetting process, including source verification, code review checklist, and permissions analysis. - Detects red flags such as credential theft patterns, obfuscated/minified code, data exfiltration, and risky system or network behaviors. - Classifies risk level as LOW, MEDIUM, HIGH, or EXTREME and produces detailed, markdown-friendly vetting reports. - Includes practical vetting checklists, report templates, and quick audit commands for both ClawHub and GitHub skills. - Strongly discourages installing unvetted or sketchy skills; emphasizes rigorous pre-installation checks.
Popular Skills
Published by @donovanpankratz-del on ClawHub
