skill-guard
The only pre-install security gate for ClawHub skills.
Why skill-guard?
| VirusTotal (ClawHub built-in) | skillscanner (Gen Digital) | skill-guard | |
|---|---|---|---|
| When it runs | After publish (server-side) | On-demand lookup | Before install (client-side) |
| What it checks | Malware signatures | Their database | Actual skill content |
| Prompt injections | โ | โ | โ |
| Data exfiltration URLs | โ | โ | โ |
| Hidden instructions | โ | โ | โ |
| AI-specific threats | โ | โ | โ |
| Install blocking | โ | โ | โ |
VirusTotal catches known malware binaries โ but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->.
skillscanner checks if Gen Digital has reviewed it โ but can't scan new or updated skills.
skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.
The Problem
Skills can contain:
- ๐ญ Prompt injections โ hidden "ignore previous instructions" attacks
- ๐ Malware payloads โ dangerous commands disguised in natural language
- ๐ Hardcoded secrets โ API keys, tokens in plain text
- ๐ค Data exfiltration โ URLs that leak your conversations, memory, files
- โ๏ธ Toxic flows โ instructions that chain into harmful actions
One bad skill = compromised agent. Your agent trusts skills implicitly.
The Solution
# Instead of: clawhub install some-skill
./scripts/safe-install.sh some-skill
skill-guard:
- Downloads to staging (
/tmp/) โ never touches your real skills folder - Scans with mcp-scan โ Invariant/Snyk's security scanner for AI agents
- Blocks or installs โ clean skills get installed, threats get quarantined
What It Catches
Real example โ skill-guard flagged this malicious skill:
โ [E004]: Prompt injection detected (high risk)
โ [E006]: Malicious code pattern detected
โ [W007]: Insecure credential handling
โ [W008]: Machine state compromise attempt
โ [W011]: Third-party content exposure
VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.
Usage
# Secure install (recommended)
./scripts/safe-install.sh <skill-slug>
# With version
./scripts/safe-install.sh <skill-slug> --version 1.2.3
# Force overwrite
./scripts/safe-install.sh <skill-slug> --force
Exit Codes
| Code | Meaning | Action |
|---|---|---|
0 |
Clean | Skill installed โ |
1 |
Error | Check dependencies/network |
2 |
Threats found | Skill quarantined in /tmp/, review before deciding |
When Threats Are Found
Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:
- Review โ read the scan output, inspect the files
- Install anyway โ
mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/ - Discard โ
rm -rf /tmp/skill-guard-staging/
Requirements
clawhubCLI โnpm i -g clawhubuvโcurl -LsSf https://astral.sh/uv/install.sh | sh
Why This Matters
Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:
- Read your secrets and send them elsewhere
- Modify your agent's behavior permanently
- Use your identity to spread to other systems
Trust, but verify. Scan before you install.