2.6k
GitHub Stars
3
Bundled Files
2 months ago
Catalog Refreshed
3 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill skill-safeguard- _meta.json282 B
- README.md5.7 KB
- SKILL.md9.0 KB
Overview
This skill is a pre-load security scanner that inspects any third-party Skill before it is loaded or executed. It enumerates every file, performs static analysis against a comprehensive threat checklist, classifies findings by severity, and produces a clear security report. Always run this skill first when introducing unfamiliar Skills from external sources.
How this skill works
The scanner runs a four-phase workflow: (1) Enumerate — list all files and note unexpected types; (2) Analyze — read every file and perform static checks for prompt injection, data exfiltration, credential harvesting, obfuscation, dangerous execution, social engineering, and supply-chain manipulation; (3) Classify — map findings to CRITICAL, WARNING, or INFO and apply escalation rules; (4) Report — generate a pre-load security report (includes recommended action). Scripts are analyzed statically only; no code is executed.
When to use it
- Before loading or following instructions from any Skill downloaded from the internet or third-party sources
- When a user asks to install or use a Skill from an external source
- When a user requests a safety review of a Skill’s files
- When Skills contain binaries, minified code, or unusual dependencies
- When a Skill requests network access, secret access, or modifies other files
Best practices
- Always run the scanner before importing or executing external Skills
- Treat any single CRITICAL finding as a block until resolved
- Escalate when obfuscation or multiple warnings appear — prefer manual review
- Do not execute or run analyzed files during scanning; use static analysis only
- Ask the user for explicit consent when proceeding after WARNING-level findings
Example use cases
- User wants to add a Skill from an open archive — run a full scan first
- A downloaded Skill requests external network calls or webhooks — detect and classify risk
- Audit a Skill that reads environment variables or accesses credential files
- Inspect Skills that include minified or binary assets to flag uninspected content
- Review Skills that modify startup scripts, install packages, or add git hooks
FAQ
No. All script inspection is static; the scanner reads files but never executes them or runs installers.
What happens if a CRITICAL issue is found?
The Skill is blocked from loading. The report explains the critical findings and recommends remediation before any further action.