skill-install-guardianSecurity and due diligence layer for installing external skills from ClawHub. Performs DEEP content scanning for malicious patterns, security checks, integra...
Install via ClawdBot CLI:
clawdbot install zendenho7/skill-install-guardian"Trust but verify. Always."
This skill protects your workspace by performing security and due diligence checks before installing any external skill.
Before installing any external skill from ClawHub, this skill:
This skill performs actual content analysis on skill files:
| Pattern | Severity | Example |
|---------|----------|---------|
| eval() | CRITICAL | Code execution |
| exec() | CRITICAL | Code execution |
| subprocess | HIGH | Shell commands |
| API keys/tokens | CRITICAL | sk-xxx, ghp_xxx |
| base64 decode | MEDIUM | Obfuscation |
| import | MEDIUM | Dynamic imports |
# Get skill security report
npx clawhub inspect <skill-slug> --securityWhat to check:
Action if flagged: ā ABORT immediately
# Fetch skill files
npx clawhub inspect <skill-slug> --files
# Analyze each file for:
# - Prompt injection patterns
# - Suspicious API calls (curl, fetch to unknown domains)
# - Hardcoded secrets/keys
# - Eval() or code execution
# - Base64 encoded strings (potential obfuscation)
# - External network calls without justificationAnalysis criteria:
| Pattern | Risk Level | Action |
|---------|------------|--------|
| eval( | CRITICAL | ABORT |
| subprocess without params | HIGH | Flag for review |
| curl to unknown domain | HIGH | Flag for review |
| Hardcoded API key | CRITICAL | ABORT |
| Base64 encoded blob | MEDIUM | Flag for review |
| External URL fetch | MEDIUM | Flag for review |
| Clean code | LOW | Pass |
Assumption: All external skills are potentially malicious until proven otherwise.
Questions to answer:
Check existing skills:
npx clawhub search <related-topic>
ls skills/*/SKILL.md | xargs grep -l "<topic>"Conflict detection:
Generate a report with:
## Skill Install Report: <skill-name>
### Security Status
- [ ] PASSED / [ ] FAILED
### Security Details
- ClawHub report: <status>
- Code analysis: <findings>
### Integration Status
- Purpose: <useful/useless>
- Conflicts: <list>
- Value: <high/medium/low>
### Recommendation
[PROCEED] / [ABORT] / [REVIEW]
### Owner Decision Required
Please confirm before I proceed with installation.python3 skills/skill-install-guardian/scripts/check.py <skill-slug>python3 skills/skill-install-guardian/scripts/check.py <skill-slug> --quicknpx clawhub install <skill-slug>1. Owner: "Install skill X"
2. Me: Run skill-install-guardian
3. Guardian: Security Check v1
4. Guardian: Security Check v2 (if v1 passes)
5. Guardian: Integration Check
6. Guardian: Report to owner
7. Owner: Confirm or abort
8. If confirmed: Install{
"skill": "example-skill",
"version": "1.0.0",
"security": {
"v1_clawhub": "PASS",
"v2_code_analysis": {
"status": "PASS",
"issues_found": []
}
},
"integration": {
"purpose": "useful",
"conflicts": [],
"value": "high"
},
"recommendation": "PROCEED",
"owner_decision": "PENDING"
}Security first. Always verify.
Generated Mar 1, 2026
AI development teams use this skill to vet third-party AI agent skills before integrating them into their workflow, ensuring no malicious code or security vulnerabilities are introduced. It automates due diligence, scanning for patterns like eval() or hardcoded API keys, and requires manual confirmation to prevent automated threats.
Large enterprises deploy this skill as part of their AI platform governance to enforce security policies when employees install external skills from repositories like ClawHub. It provides audit trails through reports and prevents installation of unvetted code, reducing risks of data breaches or compliance violations.
Universities and research labs use this skill in AI courses or projects to teach students about secure coding practices while allowing exploration of external skills. It acts as a safety net, flagging potential issues in downloaded code for review, fostering learning without compromising system integrity.
Freelancers and small businesses rely on this skill to quickly verify the safety of AI skills they consider using for client projects, ensuring they don't inadvertently introduce vulnerabilities. It streamlines the review process with automated scans and clear reports, saving time while maintaining trust.
Open-source communities integrate this skill into their contribution workflows to screen new AI skill submissions for malicious content before merging. It helps maintain project security by detecting patterns like obfuscated code or unauthorized network calls, protecting users from potential exploits.
Offer this skill as a cloud-based service with advanced scanning features, team management dashboards, and compliance reporting. Revenue is generated through monthly or annual subscriptions based on the number of users or scans performed, targeting businesses needing scalable security solutions.
Sell enterprise licenses with custom integrations, priority support, and on-premise deployment options for large organizations. Revenue comes from one-time license fees plus annual maintenance contracts, focusing on industries with strict regulatory requirements like finance or healthcare.
Provide a free basic version for individual users with limited scans, then upsell to premium tiers offering deeper analysis, batch processing, and API access. Revenue is driven by premium subscriptions and pay-per-use credits for high-volume scanning needs.
š¬ Integration Tip
Integrate this skill early in your development pipeline by automating checks before any skill installation, and regularly update its pattern detection rules to adapt to new security threats.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.