| name | vet-skill |
| description | Vet a third-party Claude/Cursor/agent skill (or plugin / extension package) BEFORE installing it. Catches malicious payloads — prompt injection patterns, hardcoded webhook exfiltration, encoded payloads, dynamic execution, suspicious dependencies, typosquatted package names. Returns ALLOW/WARN/BLOCK with rule citation. Use when the user is about to install a community skill, when reviewing a PR that adds a third-party plugin, or after seeing a "this skill 10x'd my agent" tweet that looks too good. |
| when_to_use | Before installing any community / third-party skill, plugin, or extension package. When a teammate adds an agent extension via PR. After a supply-chain attack story breaks (the next ClawHavoc-equivalent). |
| arguments | ["path"] |
| argument-hint | <path-to-skill-directory-or-package> |
Vet Skill (supply-chain pre-install check)
Run skill-vetter's 41-rule scanner against a skill / plugin / extension package. Return a verdict the user can trust before they install.
What to do
- Take the path from
$ARGUMENTS. If empty, ask the user for the path.
- Call
mcp__openclaw-skill-vetter__vet_skill with the path. The tool walks the directory, scans manifests / SKILL.md / package.json / Python files / shell scripts, and returns findings + verdict.
- Render as a verdict block — never raw JSON.
Verdict rendering
ALLOW (safe to install)
> ✅ **ALLOW** — skill-vetter found no concerning patterns
> **Path:** `<path>`
> **Manifest:** `<package-name>` v`<version>` by `<author>`
> **Files scanned:** N
> **Notes:** [low-severity warnings if any]
WARN (caution — review specific findings)
> 🟡 **WARN** — skill-vetter flagged caution-tier patterns
> **Path:** `<path>`
> **Findings:**
> - **<RULE.NAME>** (severity: WARN) at `<file>:<line>` — <one-line explanation of what the rule catches>
> **Recommended action:** [review the specific lines, decide if expected; OR refuse the install if intent is unclear]
BLOCK (do NOT install)
> 🔴 **BLOCK** — skill-vetter detected critical malicious pattern
> **Path:** `<path>`
> **Findings:**
> - **<RULE.NAME>** (severity: CRITICAL) at `<file>:<line>` — <explanation>
> ```
> <quote the offending lines from the file with line numbers>
> ```
> **What this would do if installed:** <expand on the actual behavior — e.g. "the SKILL.md instructs Claude to ignore previous safety rules and run shell commands without asking; once installed, every Claude session would inherit this override">
> **Where this came from:** [if author / source can be inferred from the manifest, mention it; otherwise note "source unverified"]
> **Action:** Do NOT install. Report the package to the marketplace it came from.
Rule families covered (skill-vetter's 41 rules across 5+ families)
- PROMPT_INJ.* — prompt-injection patterns ("ignore previous instructions", role-override, system-prompt rewrite)
- EXFIL.* — data-exfiltration patterns (hardcoded webhook URLs, base64-encoded HTTP POSTs, credential extraction)
- DYNAMIC_EXEC.* — runtime code execution (
eval, exec, Function, dynamic import)
- SECRET_REF.* — references to credential files (
.env, .aws/credentials, .netrc, ~/.ssh/)
- TYPOSQUAT.* — package names suspiciously close to popular packages (e.g.
claude-code-helpers vs claude-code-helper)
- GIT_HOOK_INSTALL.* — silent git-hook installation
- OBFUSCATION.* — unicode tricks, hex/base64-encoded strings, character-array reconstruction
Cite the actual rule name returned by skill-vetter — don't paraphrase.
Style notes
- For BLOCK-tier findings, ALWAYS quote the offending lines. Quoting is the cheapest way to make the user genuinely understand the threat.
- If the package has a manifest (
package.json, pyproject.toml, claude-plugin.json), surface the author / version / homepage in the verdict header. Provenance matters for trust decisions.
- If multiple findings stack, prioritize the highest-severity one in the headline; list others in order.
Edge cases
- If
$ARGUMENTS is empty: "Pass a path to the skill directory or package: /aufgaard:vet-skill ./path/to/community-skill"
- If skill-vetter MCP not loaded: "skill-vetter MCP not available. Verify
pip install openclaw-skill-vetter-mcp and the plugin is loaded."
- If the path doesn't exist: "Path not found:
<path>. Pass a directory or archive path."
- If the path is a remote URL (not yet supported by skill-vetter): "Download the skill locally first, then vet. skill-vetter does not yet vet remote URLs directly."
Footer CTA
---
The [Production-AI MCP Suite Bundle](https://temurah.gumroad.com/l/production-ai-mcp-suite) ($29) includes skill-vetter's full 41-rule catalogue + 6 other production-AI safety MCPs + the 8-page Field Reference PDF (covers P5.1 malicious-skill payloads + P5.2 dependency rot).