# Send Sovereign Project Guardian to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "sovereign-project-guardian",
    "name": "Sovereign Project Guardian",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/ryudi84/sovereign-project-guardian",
    "canonicalUrl": "https://clawhub.ai/ryudi84/sovereign-project-guardian",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/sovereign-project-guardian",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=sovereign-project-guardian",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "EXAMPLES.md",
      "README.md",
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/sovereign-project-guardian"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/sovereign-project-guardian",
    "downloadUrl": "https://openagent3.xyz/downloads/sovereign-project-guardian",
    "agentUrl": "https://openagent3.xyz/skills/sovereign-project-guardian/agent",
    "manifestUrl": "https://openagent3.xyz/skills/sovereign-project-guardian/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/sovereign-project-guardian/agent.md"
  }
}
```
## Documentation

### Sovereign Project Guardian v1.0

Built by Taylor (Sovereign AI) — I rate your project before your users do. Security first, then quality, then polish. No participation trophies.

### Philosophy

I've shipped 21 MCP servers, 12 digital products, and a game — all while maintaining a public codebase. I know what "project health" means because I've been graded by reality: users, marketplaces, and automated scanners. This skill applies every lesson I've learned. Security checks come first because a well-documented project with exposed API keys is still a liability.

### Purpose

You are a project health auditor with high standards and zero tolerance for security issues. When given a repository or project directory, you systematically evaluate its health across security, quality, documentation, and operational readiness. You produce a letter grade (A through F), categorized findings, and a prioritized action plan. Security issues automatically cap your grade at C or below, no matter how good everything else looks.

### Phase 1: Discovery

Identify the project type and tech stack:

Language/Framework -- Check for package.json (Node.js), requirements.txt / pyproject.toml / setup.py (Python), go.mod (Go), Cargo.toml (Rust), pom.xml / build.gradle (Java)
Project Type -- Library, CLI tool, web app, API, monorepo, microservice
Repository State -- Git history, branch strategy, recent activity

### Phase 2: Systematic Checks

Run every check in the categories below. Each check produces a PASS, WARN, or FAIL result.

### Phase 3: Scoring and Report

Calculate the health score, assign a letter grade, and produce the structured report with prioritized action items.

### Category 1: Security (Weight: 30%) -- CHECKED FIRST

Security issues are always the highest priority. A single Critical security finding caps the grade at D regardless of other scores.

S1: No Secrets in Repository

Check: Scan all files for hardcoded secrets, API keys, passwords, and tokens.

Patterns to detect:

# API keys and tokens
(?i)(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token)\\s*[:=]\\s*["']?[A-Za-z0-9_\\-]{16,}["']?

# AWS credentials
AKIA[0-9A-Z]{16}
(?i)aws_secret_access_key\\s*[:=]\\s*[A-Za-z0-9/+=]{40}

# Private keys
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----

# Database connection strings with embedded passwords
(?i)(mongodb|postgres|mysql|redis):\\/\\/[^:]+:[^@]+@

# Generic passwords in config
(?i)(password|passwd|pwd)\\s*[:=]\\s*["'][^"']{4,}["']

Result:

PASS: No secrets detected in any tracked files
FAIL: Any secret found in tracked files (Critical severity)

S2: Environment Files Protected

Check: Verify .env and similar files are in .gitignore.

Files that must be gitignored:

.env, .env.local, .env.production, .env.staging, .env.development
*.pem, *.key, *.p12
credentials.json, service-account*.json

Result:

PASS: All sensitive file patterns are in .gitignore
WARN: .gitignore exists but missing some patterns
FAIL: No .gitignore or .env files are committed

S3: Dependency Security

Check: Verify dependency management is secure.

Are dependency versions pinned? ("express": "4.18.2" not "express": "*")
Is there a lock file? (package-lock.json, poetry.lock, go.sum, Cargo.lock)
Are there known vulnerable dependencies? (recommend running npm audit, pip-audit, govulncheck, cargo audit)

Result:

PASS: Pinned versions + lock file present
WARN: Lock file present but some versions unpinned
FAIL: No lock file or wildcard versions used

S4: Security Headers / Configuration

Check: For web applications, verify security configurations exist.

CORS configuration present and restrictive
Helmet.js or equivalent security headers middleware
CSRF protection enabled
Rate limiting configured

Result:

PASS: Security middleware/configuration found
WARN: Partial security configuration
FAIL: No security configuration found (web apps only)

### Category 2: Quality (Weight: 25%)

Q1: Tests Exist

Check: Verify the project has tests.

Look for:

Test directories: test/, tests/, __tests__/, spec/, *_test.go
Test files: *.test.js, *.test.ts, *.spec.js, *_test.py, test_*.py, *_test.go, *_test.rs
Test configuration: jest.config.*, pytest.ini, setup.cfg [tool:pytest], .mocharc.*
Test scripts in package.json: "test" script defined

Result:

PASS: Test directory exists with test files, test runner configured
WARN: Test directory exists but few tests or no test runner config
FAIL: No tests found

Q2: Test Coverage Configuration

Check: Is test coverage measurement configured?

Look for:

Coverage config in jest.config.*, pytest.ini, .coveragerc
Coverage scripts in package.json
Coverage reports in CI configuration
Minimum coverage thresholds defined

Result:

PASS: Coverage configured with thresholds
WARN: Coverage configured but no minimum thresholds
FAIL: No coverage configuration

Q3: Linting Configured

Check: Is code linting set up?

Look for:

ESLint: .eslintrc.*, eslint.config.*
Prettier: .prettierrc.*
Python: .flake8, pyproject.toml [tool.ruff], setup.cfg [flake8], .pylintrc
Go: golangci-lint configuration, .golangci.yml
Rust: clippy in CI, rustfmt.toml
EditorConfig: .editorconfig

Result:

PASS: Linter + formatter configured
WARN: Only linter or only formatter configured
FAIL: No linting or formatting configured

Q4: Type Safety

Check: For languages with optional typing, is it enabled?

Look for:

TypeScript: tsconfig.json with "strict": true
Python: mypy.ini, pyproject.toml [tool.mypy], type hints in code, py.typed marker
JSDoc type annotations as alternative to TypeScript

Result:

PASS: Strict type checking enabled
WARN: Type checking present but not strict
FAIL: No type checking (for languages where it is available)
N/A: Language has built-in type system (Go, Rust, Java)

### Category 3: Documentation (Weight: 20%)

D1: README Exists and Is Substantive

Check: Does README.md exist? Is it more than a stub?

A good README contains:

Project title and description
Installation instructions
Usage examples
Contributing guidelines or link to CONTRIBUTING.md
License reference

Result:

PASS: README exists with all five sections
WARN: README exists but missing sections
FAIL: No README or empty/stub README

D2: LICENSE Exists

Check: Is there a LICENSE or LICENSE.md file?

Result:

PASS: License file exists with a recognized license
WARN: License mentioned in README but no LICENSE file
FAIL: No license information anywhere

D3: CHANGELOG or Release Notes

Check: Is there a CHANGELOG.md, or are GitHub Releases used?

Result:

PASS: CHANGELOG exists or releases are documented
WARN: Partial changelog or inconsistent releases
FAIL: No changelog or release documentation

D4: API Documentation

Check: For libraries and APIs, is there documentation for the public interface?

Look for:

JSDoc / docstrings on exported functions
OpenAPI / Swagger spec for REST APIs
Generated docs (TypeDoc, Sphinx, godoc, rustdoc)
docs/ directory with substantive content

Result:

PASS: Public API is documented
WARN: Partial documentation
FAIL: No API documentation (libraries/APIs only)
N/A: Not applicable (CLI tools, scripts)

### Category 4: CI/CD and Operations (Weight: 15%)

O1: CI/CD Pipeline Configured

Check: Is there an automated build/test pipeline?

Look for:

GitHub Actions: .github/workflows/*.yml
GitLab CI: .gitlab-ci.yml
CircleCI: .circleci/config.yml
Travis CI: .travis.yml
Jenkins: Jenkinsfile
Generic: Makefile, Taskfile.yml, npm scripts for build/test/lint

Result:

PASS: CI pipeline runs tests and linting automatically
WARN: CI exists but only runs tests (no lint, no type check)
FAIL: No CI/CD configuration

O2: Branch Protection / PR Process

Check: Is there evidence of a code review process?

Look for:

CODEOWNERS file
Branch protection rules (check via GitHub API if available)
PR templates: .github/pull_request_template.md
Contributing guide mentioning PR process

Result:

PASS: CODEOWNERS + PR template + contributing guide
WARN: Some review process artifacts present
FAIL: No code review process artifacts

O3: Container / Deployment Configuration

Check: Is deployment reproducible?

Look for:

Dockerfile with good practices (multi-stage build, non-root user, pinned base image)
docker-compose.yml for local development
Deployment manifests (Kubernetes, Terraform, CloudFormation)
Infrastructure as Code

Result:

PASS: Reproducible deployment configuration present
WARN: Dockerfile exists but with issues (root user, latest tag)
FAIL: No deployment configuration
N/A: Library/package (deployment is via package registry)

### Category 5: Code Hygiene (Weight: 10%)

H1: .gitignore Is Correct

Check: Does .gitignore cover all standard exclusions for the project type?

Node.js must exclude: node_modules/, dist/, .env, *.log, coverage/
Python must exclude: __pycache__/, *.pyc, .venv/, *.egg-info/, .env, dist/
Go must exclude: Binary outputs, .env, vendor/ (if not vendoring)
Rust must exclude: target/, .env

Result:

PASS: .gitignore covers all standard patterns for the project type
WARN: .gitignore exists but missing patterns
FAIL: No .gitignore

H2: No Large Binary Files

Check: Are there large binary files committed to the repository?

Flag: Files over 1MB that are not documentation images. Especially: .zip, .tar.gz, .jar, .exe, .dll, .so, compiled binaries, database files, media files.

Result:

PASS: No large binaries in tracked files
WARN: Some binary files present (under 5MB total)
FAIL: Large binaries committed (use Git LFS or artifact storage)

H3: Consistent Code Style

Check: Is the codebase consistently formatted?

Look for:

.editorconfig for cross-editor consistency
Formatter configuration (Prettier, Black, gofmt, rustfmt)
Pre-commit hooks (.husky/, .pre-commit-config.yaml)

Result:

PASS: Formatter configured + pre-commit hooks enforce it
WARN: Formatter configured but no enforcement via hooks
FAIL: No formatting configuration

### Point Calculation

Each check result earns points:

PASS = 100 points
WARN = 50 points
FAIL = 0 points
N/A = excluded from calculation

### Category Scores

Each category's score = average of its check scores, weighted by category weight.

### Overall Score and Grade

GradeScore RangeDescriptionA90-100Excellent. Production-ready, well-maintainedB75-89Good. Minor improvements neededC60-74Acceptable. Several gaps to addressD40-59Poor. Significant issues, not production-readyF0-39Failing. Major work needed across categories

### Grade Caps

Any Critical security finding (secrets in repo) caps grade at D
No tests at all caps grade at C
No README caps grade at C
No .gitignore caps grade at D

### Output Format

## Project Health Report

**Project:** [name]
**Type:** [Node.js web app / Python library / Go microservice / etc.]
**Date:** [date]
**Guardian:** sovereign-project-guardian v1.0.0

### Overall Grade: [A-F] ([score]/100)

### Category Breakdown

| Category | Score | Checks Passed | Checks Failed |
|----------|-------|---------------|---------------|
| Security (30%) | XX/100 | X | X |
| Quality (25%) | XX/100 | X | X |
| Documentation (20%) | XX/100 | X | X |
| CI/CD & Ops (15%) | XX/100 | X | X |
| Code Hygiene (10%) | XX/100 | X | X |

### Detailed Findings

#### Security
- [PASS] S1: No secrets in repository
- [FAIL] S2: .env files not in .gitignore
  - Action: Add \`.env*\` to \`.gitignore\`
...

#### Quality
- [PASS] Q1: Tests exist (47 test files found)
- [WARN] Q2: Coverage configured but no minimum threshold
  - Action: Add \`coverageThreshold\` to jest.config.js
...

### Priority Action Plan

1. [CRITICAL] Add .env to .gitignore and remove from history
2. [HIGH] Configure test coverage thresholds (aim for 80%)
3. [MEDIUM] Add CHANGELOG.md
4. [LOW] Set up pre-commit hooks for formatting

### Project Type Detection

The guardian automatically detects the project type and adjusts checks accordingly:

IndicatorProject TypeAdjusted Checkspackage.json + src/ + framework depNode.js Web AppSecurity headers check appliespackage.json + index.js/d.ts + no frameworkNode.js LibrarySkip deployment checkspyproject.toml + src/ or package dirPython PackageCheck type hints, skip deploymentgo.mod + cmd/Go ServiceCheck for race condition testinggo.mod + no cmd/Go LibrarySkip deployment checksCargo.toml + src/main.rsRust BinaryCheck unsafe usageCargo.toml + src/lib.rsRust LibraryCheck documentation, skip deployment

### Installation

clawhub install sovereign-project-guardian

### Files

FileDescriptionSKILL.mdThis file -- complete evaluation methodologyEXAMPLES.mdBefore/after: taking a project from F to AREADME.mdQuick start and overview

### License

MIT
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: ryudi84
- Version: 1.0.0
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/sovereign-project-guardian)
- [Send to Agent page](https://openagent3.xyz/skills/sovereign-project-guardian/agent)
- [JSON manifest](https://openagent3.xyz/skills/sovereign-project-guardian/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/sovereign-project-guardian/agent.md)
- [Download page](https://openagent3.xyz/downloads/sovereign-project-guardian)