2.6k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill clawhub-quarantine-installer- _meta.json320 B
- SKILL.md5.2 KB
Overview
This skill installs ClawHub skills into an isolated quarantine directory and runs a basic automated audit to surface potential security risks. It is designed to let you safely inspect third-party or flagged skills in a disposable environment before promoting them to production. The workflow produces a text audit report and preserves the quarantined files for manual review.
How this skill works
The installer script places the requested skill under $HOME/.openclaw/clawhub-quarantine/skills/ using npx clawhub install --force, then invokes an audit routine that scans the skill with ripgrep for risky patterns (command execution, network calls, secrets, environment access). A timestamped report is written to $HOME/.openclaw/clawhub-quarantine/reports/. You can then open the quarantined skill directory to perform deeper manual inspection and dependency checks.
When to use it
- When ClawHub flags a skill as suspicious or risky and you need to investigate safely.
- Before promoting third-party skills into your production OpenClaw workspace.
- When you want a quick automated scan for common dangerous code patterns.
- To archive and audit historical versions of a skill for incident response.
- When testing potentially malicious or untrusted skills inside a disposable VM or container.
Best practices
- Run the installer only in an isolated VM or container with no access to production secrets or networks.
- Treat the automated report as an aid—always perform manual code and dependency review before promotion.
- Verify external dependencies (npm packages) separately, checking their repositories and issue trackers.
- Keep Node.js and ripgrep up to date and limit network access from the quarantine environment.
- Remove or snapshot the quarantine environment after analysis to avoid lingering risks.
Example use cases
- Install a skill flagged by VirusTotal Code Insight to inspect for eval, secret keys, or outbound network calls.
- Audit archived versions of a skill to trace when a risky dependency was introduced.
- Validate whether a skill’s dependencies make system-level calls before allowing it into production.
- Generate a timestamped audit record for compliance or security review workflows.
- Use the quarantine as a safe workspace to reproduce reported problematic behavior.
FAQ
No. The tool downloads and executes remote code. Only run it in an isolated VM or container with no access to sensitive data or production systems.
Does the audit guarantee a skill is safe?
No. The automated audit highlights common risky patterns but cannot find all issues. Follow up with manual review and dependency checks before trusting a skill.