Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub Β· Developer Tools
skill-guard
Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads, hardcoded secrets, and other threats. Wraps clawhub install with mcp-scan pre-flight checks.
skill openclawclawhub Free
Scan ClawHub skills for security vulnerabilities BEFORE installing. Use when installing new skills from ClawHub to detect prompt injections, malware payloads, hardcoded secrets, and other threats. Wraps clawhub install with mcp-scan pre-flight checks.
β¬ 0 downloads β
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md, scripts/safe-install.sh
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.2
Provenance
- Publisher
- jamesOuttake
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
skill-guard
The only pre-install security gate for ClawHub skills.
Why skill-guard?
VirusTotal (ClawHub built-in)skillscanner (Gen Digital)skill-guardWhen it runsAfter publish (server-side)On-demand lookupBefore install (client-side)What it checksMalware signaturesTheir databaseActual skill contentPrompt injectionsβββ Data exfiltration URLsβββ Hidden instructionsβββ AI-specific threatsβββ Install blockingβββ VirusTotal catches known malware binaries β but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->. skillscanner checks if Gen Digital has reviewed it β but can't scan new or updated skills. skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.
The Problem
Skills can contain: π Prompt injections β hidden "ignore previous instructions" attacks π Malware payloads β dangerous commands disguised in natural language π Hardcoded secrets β API keys, tokens in plain text π€ Data exfiltration β URLs that leak your conversations, memory, files βοΈ Toxic flows β instructions that chain into harmful actions One bad skill = compromised agent. Your agent trusts skills implicitly.
The Solution
# Instead of: clawhub install some-skill ./scripts/safe-install.sh some-skill skill-guard: Downloads to staging (/tmp/) β never touches your real skills folder Scans with mcp-scan β Invariant/Snyk's security scanner for AI agents Blocks or installs β clean skills get installed, threats get quarantined
What It Catches
Real example β skill-guard flagged this malicious skill: β [E004]: Prompt injection detected (high risk) β [E006]: Malicious code pattern detected β [W007]: Insecure credential handling β [W008]: Machine state compromise attempt β [W011]: Third-party content exposure VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.
Usage
# Secure install (recommended) ./scripts/safe-install.sh <skill-slug> # With version ./scripts/safe-install.sh <skill-slug> --version 1.2.3 # Force overwrite ./scripts/safe-install.sh <skill-slug> --force
Exit Codes
CodeMeaningAction0CleanSkill installed β1ErrorCheck dependencies/network2Threats foundSkill quarantined in /tmp/, review before deciding
When Threats Are Found
Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can: Review β read the scan output, inspect the files Install anyway β mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/ Discard β rm -rf /tmp/skill-guard-staging/
Requirements
clawhub CLI β npm i -g clawhub uv β curl -LsSf https://astral.sh/uv/install.sh | sh
Why This Matters
Your agent has access to your files, messages, maybe your whole machine. One malicious skill can: Read your secrets and send them elsewhere Modify your agent's behavior permanently Use your identity to spread to other systems Trust, but verify. Scan before you install.
Category context
Code helpers, APIs, CLIs, browser automation, testing, and developer operations.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
1 Docs1 Scripts
- SKILL.md
- scripts/safe-install.sh