evez-skill-vetter

Security review for OpenClaw skills before installation. Use when evaluating third-party skills for safety, checking permission scope, detecting suspicious patterns, identifying data exfiltration risks, or auditing skill code. Covers static analysis, permission auditing, dependency scanning, and risk scoring.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "evez-skill-vetter" with this command: npx skills add evezart/evez-skill-vetter

Skill Vetter

Review third-party skills before installing them. Catch security risks early.

Quick Start

python3 scripts/vet.py --skill /path/to/skill
python3 scripts/vet.py --slug some-skill  # vet a ClawHub skill

What It Checks

  1. Permission scope — Does the skill request exec, network, or file access?
  2. Suspicious patterns — eval(), exec(), subprocess, fetch to unknown hosts, encoded strings
  3. Data exfiltration — Sending data to external endpoints, logging secrets
  4. Dependency risks — Known vulnerable packages, excessive dependencies
  5. Code quality — Minified/obfuscated code, missing SKILL.md, oversized files
  6. Secret exposure — Hardcoded API keys, tokens, passwords in source

Risk Score

Each check produces a risk score 0-100:

  • 0-20: ✅ Safe — install freely
  • 21-50: ⚠️ Caution — review findings before installing
  • 51-75: 🚨 Risky — significant security concerns
  • 76-100: ❌ Dangerous — do not install

Output

SKILL: some-skill
RISK: 35/100 (Caution)
FINDINGS:
  ⚠️ Uses subprocess.call() in scripts/run.sh:3
  ⚠️ Fetches from https://unknown-api.com in scripts/pull.py:12
  ✅ No hardcoded secrets found
  ✅ SKILL.md present and valid

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

GEO Audit — AI Search Visibility Checker (ChatGPT/Perplexity/Claude)

🇺🇸 GEO Audit — AI Search Visibility Checker for ChatGPT, Perplexity, Claude & Gemini. 29-point GEO readiness checklist: robots.txt AI crawler access, Index...

Registry SourceRecently Updated
330Profile unavailable
Security

SEO Patrol — Daily Site Health Monitor & Content Decay Tracker

🇺🇸 SEO Patrol — Daily site health monitor & content decay tracker. Automated SEO monitoring: detect ranking drops, content decay, broken links, indexing is...

Registry SourceRecently Updated
330Profile unavailable
Security

web-design-guidelines

Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".

Repository Source
312.7K26.4Kvercel
Security

entra-app-registration

Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), general Azure resource security guidance.

Repository Source
307.3K907Microsoft