Skill Security Review
by @kickook
Review and audit OpenClaw skills and agents for data risks, code execution, persistence, network access, privilege escalation, and supply-chain threats befor...
clawhub install skill-security-review📖 About This Skill
name: skill-security-review description: Review the security of an OpenClaw skill or agent before installation, import, activation, or trust. Use when the user asks whether a skill is safe, asks to review a .skill package, asks whether a GitHub/ClawHub/zip-based skill is safe, or expresses intent to install/import/enable a skill. Default behavior: if the user wants to install a skill, audit first, then present the verdict and ask for confirmation before installing. Focus on data exposure, local command execution, persistence, network access, privilege escalation, destructive behavior, and supply-chain risk.
Skill Security Review
Review first. Install later.
Treat every new skill, agent bundle, script, or packaged .skill file as untrusted until checked. The goal is to decide whether it is safe enough for 吴老板's machine and data, not to prove absolute safety.
Default policy
If the user expresses intent to install, import, enable, or trust a skill, do not install immediately.
Default sequence: 1. audit the skill first 2. summarize the security verdict 3. state whether installation is recommended, conditionally acceptable, or should be rejected 4. ask the user to confirm before performing the installation
This applies even if the user did not explicitly ask for a security review. Installation intent itself is enough to trigger the review.
Audit workflow
1. Identify the artifact.
- Determine whether the target is a local folder, .skill archive, git repo, pasted SKILL.md, script bundle, or agent prompt.
- If the artifact is compressed, inspect contents before trusting it.
2. Enumerate the attack surface.
- SKILL.md instructions
- bundled scripts/
- references/ that may influence behavior
- assets/ containing executables, macros, shortcuts, archives, or disguised binaries
- package metadata, install hooks, downloader logic, or self-update logic
3. Score the main risk categories. - Data access: reads secrets, tokens, chat logs, browser data, SSH keys, cloud creds, local documents - Code execution: shells out, runs PowerShell/cmd/bash/python/node, downloads and executes code - Persistence: startup entries, scheduled tasks, services, cron, registry edits, background daemons - Network egress: sends data to third-party APIs, webhooks, hidden telemetry, pastebins, tunnels - Destructive behavior: deletes files, rewrites configs, disables security controls, mass-edits state - Privilege boundary: asks for elevated permissions, firewall/Defender changes, SSH/RDP exposure - Supply chain: pulls remote code at runtime, unpinned dependencies, obfuscated blobs, binaries
4. Read the artifact in this order.
- Start with SKILL.md
- Then inspect every executable or automation file
- Then inspect config, manifests, archives, and large/generated files only as needed
- Prefer targeted reads and searches over blindly trusting descriptions
5. Produce a verdict.
- ALLOW: low risk, behavior matches stated purpose, no suspicious hidden capability
- ALLOW WITH GUARDRAILS: useful but risky; list exact constraints
- REJECT: hidden capability, unjustified access, dangerous persistence, exfiltration risk, or poor transparency
Do not say a skill is “safe” without caveats. Say “acceptable risk under these conditions” when appropriate.
Fast triage heuristics
Escalate scrutiny if any of the following appear:
Invoke-WebRequest, curl, wget, irm, iex, Start-Process, powershell -enc.ssh, .env, password manager paths, cloud credential filesReview standard
Flag any capability that is not necessary for the stated purpose.
Ask these questions:
Output format
Use this structure for every audit:
Security Audit Summary
Findings
Decision
Guardrail recommendations
Common guardrails:
Scope limits
This skill is a review workflow, not a sandbox or antivirus engine. Hidden logic in opaque binaries, encrypted payloads, or remote content may remain unknown. When confidence is low, default to REJECT or require isolated testing.
Reference
For a compact checklist and scoring rubric, read references/checklist.md.