skill-guard
The only pre-install security gate for ClawHub skills.
Why skill-guard?
| VirusTotal (ClawHub built-in) | skillscanner (Gen Digital) | skill-guard | |
|---|---|---|---|
| When it runs | After publish (server-side) | On-demand lookup | Before install (client-side) |
| What it checks | Malware signatures | Their database | Actual skill content |
| Prompt injections | ❌ | ❌ | ✅ |
| Data exfiltration URLs | ❌ | ❌ | ✅ |
| Hidden instructions | ❌ | ❌ | ✅ |
| AI-specific threats | ❌ | ❌ | ✅ |
| Install blocking | ❌ | ❌ | ✅ |
VirusTotal catches known malware binaries — but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->.
skillscanner checks if Gen Digital has reviewed it — but can't scan new or updated skills.
skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.
The Problem
Skills can contain:
- 🎭 Prompt injections — hidden "ignore previous instructions" attacks
- 💀 Malware payloads — dangerous commands disguised in natural language
- 🔑 Hardcoded secrets — API keys, tokens in plain text
- 📤 Data exfiltration — URLs that leak your conversations, memory, files
- ⛓️ Toxic flows — instructions that chain into harmful actions
One bad skill = compromised agent. Your agent trusts skills implicitly.
The Solution
# Instead of: clawhub install some-skill
./scripts/safe-install.sh some-skill
skill-guard:
1. Downloads to staging (/tmp/) — never touches your real skills folder
2. Scans with mcp-scan — Invariant/Snyk's security scanner for AI agents
3. Blocks or installs — clean skills get installed, threats get quarantined
What It Catches
Real example — skill-guard flagged this malicious skill:
● [E004]: Prompt injection detected (high risk)
● [E006]: Malicious code pattern detected
● [W007]: Insecure credential handling
● [W008]: Machine state compromise attempt
● [W011]: Third-party content exposure
VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.
Usage
# Secure install (recommended)
./scripts/safe-install.sh <skill-slug>
# With version
./scripts/safe-install.sh <skill-slug> --version 1.2.3
# Force overwrite
./scripts/safe-install.sh <skill-slug> --force
Exit Codes
| Code | Meaning | Action |
|---|---|---|
0 |
Clean | Skill installed ✓ |
1 |
Error | Check dependencies/network |
2 |
Threats found | Skill quarantined in /tmp/, review before deciding |
When Threats Are Found
Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:
1. Review — read the scan output, inspect the files
2. Install anyway — mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/
3. Discard — rm -rf /tmp/skill-guard-staging/
Requirements
clawhubCLI —npm i -g clawhubuv—curl -LsSf https://astral.sh/uv/install.sh | sh
Why This Matters
Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:
- Read your secrets and send them elsewhere
- Modify your agent's behavior permanently
- Use your identity to spread to other systems
Trust, but verify. Scan before you install.