| name | vet-config |
| description | Vet an agent-config file or directory (CLAUDE.md, AGENTS.md, .cursor/rules.md, .gemini/config, .claude/skills/, .git/hooks/) BEFORE the agent reads it on next session-start. Catches the agent-config-trust-boundary attack class — adversary lands a config file in a PR, agent inherits the override, RCE-equivalent. 24+ rules including PROMPT_INJ, EXFIL, DYNAMIC_EXEC, SECRET_REF, GIT_HOOK_INSTALL. Use when reviewing PRs that touch any agent-config layer, or after pulling a branch that may have modified these files. |
| when_to_use | Before merging a PR that adds/modifies agent-config files. After `git pull` brought in changes you didn't review yourself. When auditing a fresh clone of someone else's repo before opening it in Claude Code / Cursor. |
| arguments | ["path"] |
| argument-hint | <path-to-agent-config-file-or-directory> |
Vet Agent Config (trust-boundary check)
Scan agent-config files for adversarial patterns that exploit the config-as-instruction trust boundary. The Cursor CVE-2026-26268 + Gemini CLI CVSS 10.0 yolo-mode exploit class lives here — an attacker plants a config file, the agent reads it on next session-start and trusts it implicitly.
What to do
- Take the path from
$ARGUMENTS. Default to scanning common agent-config locations if no path given:
./CLAUDE.md
./AGENTS.md
./.claude/ (recursive)
./.cursor/rules/ (recursive)
./.gemini/
./.git/hooks/
- Call
mcp__openclaw-skill-vetter__vet_agent_config with the path. (This is skill-vetter v1.1+ — verify version if call fails.)
- Render the verdict per file scanned.
Verdict rendering
For each file, render one block. Aggregate at the top:
Aggregate header
### 🔍 Agent Config Audit
**Scope:** `<path>` · **Files scanned:** N · **Verdict:** 🟢 ALLOW / 🟡 WARN / 🔴 BLOCK (worst-case across all files)
Per-file findings
For files that triggered findings:
> 🔴/🟡 **`<file>`** — <severity>
> **Findings:**
> - **<RULE.NAME>** at line `<N>`:
> ```
> <quote the offending line>
> ```
> <one-line explanation of why this rule fired>
> **What this would do:** <expand on actual behavior on next session-start>
For files that passed:
Just include in aggregate count. Don't render a per-file ALLOW block (would clutter the report when scanning a directory).
Rule families specifically for agent configs (24+ rules)
- AGENT_CFG.PROMPT_INJ.IGNORE_PREVIOUS — "ignore previous instructions" / role-override
- AGENT_CFG.PROMPT_INJ.YOU_ARE_NOW — system-prompt-rewrite via "you are now ..."
- AGENT_CFG.PROMPT_INJ.NO_PERMISSION — "do not ask for permission" / approval-bypass
- AGENT_CFG.EXFIL.WEBHOOK_HARDCODED — outbound POST to non-allowlisted URLs
- AGENT_CFG.EXFIL.CREDENTIAL_REF — instructions to read
.env, .aws, .netrc, etc.
- AGENT_CFG.DYNAMIC_EXEC.EVAL_INSTRUCTION — instructions to use
eval, Function, runtime imports
- AGENT_CFG.SECRET_REF.SSH_KEY / .AWS_KEY / .GIT_TOKEN — references to credential files
- AGENT_CFG.GIT_HOOK_INSTALL — instructions that install or modify git hooks
- AGENT_CFG.OBFUSCATION.UNICODE_TRICK — homoglyphs / zero-width chars / RTL overrides
- AGENT_CFG.SUBPROCESS.SHELL_TRUE — instructions to spawn shells with
shell=True
Cite the actual rule returned. The rules above are the catalog reference.
Style notes
- ALWAYS quote the offending line for BLOCK findings. The quote IS the proof.
- If multiple files in the same directory trigger the same rule (e.g. 3 SKILL.md files all have IGNORE_PREVIOUS), group them: "3 files match AGENT_CFG.PROMPT_INJ.IGNORE_PREVIOUS — see file list below"
- For directory scans, render a tree-like summary when there are many files: "Scanned 47 files across
.claude/skills/ — 44 ALLOW, 2 WARN, 1 BLOCK".
- Surface git provenance if available — if running inside a git repo, mention "this file was added/modified by
<commit-sha> on " so the user can identify the PR / commit responsible.
Edge cases
- If
$ARGUMENTS is empty AND no default paths exist in CWD, ask: "Pass a path: /aufgaard:vet-config .claude/skills/new-deploy/SKILL.md. Common scan targets: .claude/, .cursor/rules/, AGENTS.md, CLAUDE.md."
- If skill-vetter MCP not loaded: "skill-vetter MCP not available. Verify
pip install openclaw-skill-vetter-mcp and the plugin is loaded."
- If the version of skill-vetter is older than v1.1 (no
vet_agent_config tool), suggest upgrade: "Your skill-vetter is older than v1.1. Run pip install --upgrade openclaw-skill-vetter-mcp to access agent-config scanning."
- If running on a fresh clone with no agent-config files, render: "🟢 No agent-config files found. Repo is clean of CLAUDE.md / AGENTS.md / .cursor/rules / .claude/skills / .git/hooks. Re-run after pulling new branches."
Footer CTA
---
Agent-config trust-boundary attacks (P5.z) is one of 35 documented production-AI failure patterns. The [Production-AI MCP Suite Bundle](https://temurah.gumroad.com/l/production-ai-mcp-suite) ($29) includes the 8-page Field Reference PDF — covers Cursor CVE-2026-26268 + Gemini CLI CVSS 10.0 yolo-mode + 4 other supply-chain and config-poisoning patterns.