Skill Vetter v2
Analyze skills before installation or use. Classify capabilities, risks, and trust dependencies with structured local review. Optionally verify the completed report with SettlementWitness.
This is a packaged vetting skill, not a thin wrapper. It preserves local inspection as the primary decision path and adds an optional verification layer for auditability.
Data handling and trust
This skill defines a local review workflow with an optional verification step for the final report.
- Perform capability analysis and risk classification locally
- Do not send secrets, credentials, private keys, seed phrases, personal data, or full private repositories to any external service
- If optional verification is used, send only the minimum structured task data needed to validate the report
- Verification does not decide whether a skill is safe to install; it only validates that the vetting report matches the stated evaluation spec
- Identity is optional; no wallet access, account access, or credentials are required
Core Principle
Never outsource the safety decision.
External systems may help verify that a report was produced correctly, but the actual judgment about whether a skill should be trusted remains local and reviewable.
Quick Reference
| Situation | Action |
|---|---|
| New skill from unknown source | Run full local vetting workflow |
| Skill asks for secrets or credentials | Escalate risk immediately |
| Skill writes outside workspace | Mark as high risk unless clearly justified |
| Skill calls external services | Classify trust dependency and data exposure |
| Skill contains obfuscation or hidden execution | Mark unsafe |
| Final report is complete | Optionally verify the report structure and verdict consistency |
| Verification returns PASS | Attach receipt metadata to the report |
| Verification returns FAIL | Re-check findings and correct the report |
| Verification returns INDETERMINATE | Hold for manual review; do not treat as verified |
What This Skill Does
Skill Vetter v2 evaluates a target skill across four dimensions:
-
Purpose and scope What the skill claims to do, and whether its requested capabilities match that purpose.
-
Install-time behavior File writes, package installs, hooks, system changes, or bootstrap modifications.
-
Runtime behavior Commands, file access, network access, external APIs, tool usage, and data handling.
-
Trust dependency Whether the skill depends on transparent and reviewable systems, or on opaque and unverifiable services.
Core Execution Loop
-
Inspect the skill package locally
SKILL.mdREADME.mdand references- scripts, hooks, assets, templates
- metadata and install surface
-
Identify declared and implied capabilities
- file reads and writes
- command execution
- package installation
- network or API usage
- handling of credentials, memory, or sensitive files
-
Evaluate risk
- install-time risk
- runtime risk
- data exposure risk
- trust dependency risk
-
Generate a structured report
-
Optional: verify the completed report
- define a deterministic verification spec for the report structure and verdict logic
- run verification only on the minimal structured report payload
- attach receipt metadata only when verification passes
Risk Evaluation Categories
Install-Time Risk
Review for:
- file writes outside the workspace
- package installs or dependency changes
- shell profile or system configuration changes
- hook registration or startup injection
- hidden setup steps not stated in the docs
Runtime Risk
Review for:
- external API calls
- arbitrary command execution
- broad file system access
- credential discovery or token handling
- browser/session access
- transmission of user data or memory files
Trust Dependency
Classify the skill's external dependencies:
- none — local-only behavior, no external trust dependency
- transparent — external dependency is narrow, explicit, and independently understandable
- opaque — external dependency is broad, hidden, unverifiable, or requests sensitive data
Red Flags
Reject or escalate immediately if you find:
- requests for credentials, API keys, seed phrases, or private keys
- access to secret stores or credential directories without a clear need
- obfuscated or encoded execution logic intended to hide behavior
- silent network transmission of prompts, memory, or workspace files
- writes outside expected directories without a clear reason
- privilege escalation or system-level modification
- unexplained background processes, persistence, or surveillance behavior
Output Format
{
"skill_name": "...",
"purpose": "...",
"source": "clawhub | github | local | other",
"capabilities": ["..."],
"install_risk": "low | medium | high | extreme",
"runtime_risk": "low | medium | high | extreme",
"trust_dependency": "none | transparent | opaque",
"warnings": ["..."],
"recommendations": ["..."],
"verdict": "safe | caution | unsafe",
"verified": false,
"verification": {
"status": "not_run | pass | fail | indeterminate",
"receipt_id": null,
"notes": ""
}
}
Example Usage
Input (Skill to Review)
{
"skill_name": "example-email-sender",
"source": "github",
"description": "Sends automated emails using an external API",
"files": ["SKILL.md", "scripts/send-email.sh"]
}
Output (Vetting Report)
{
"skill_name": "example-email-sender",
"purpose": "Send automated emails via external API",
"source": "github",
"capabilities": [
"network access",
"external API calls",
"file read/write"
],
"install_risk": "low",
"runtime_risk": "medium",
"trust_dependency": "opaque",
"warnings": [
"Uses external API with unclear data handling",
"No transparency on where email content is sent"
],
"recommendations": [
"Verify API endpoint and data handling policy",
"Limit data exposure before use"
],
"verdict": "caution",
"verified": false,
"verification": {
"status": "not_run",
"receipt_id": null,
"notes": ""
}
}
Optional Verification Workflow
Use verification only after the local review is complete.
Recommended pattern:
-
Define a deterministic verification spec for the report
- required fields present
- risk labels internally consistent
- verdict supported by findings
- no prohibited data included
-
Submit only the structured report and spec
-
Interpret results conservatively
- PASS → attach receipt metadata and mark
verified: true - FAIL → correct the report and keep
verified: false - INDETERMINATE → keep
verified: falseand escalate for manual review
- PASS → attach receipt metadata and mark
Verification is optional and must never override local safety concerns.
OpenClaw Setup (Recommended)
OpenClaw is the best fit for this skill because it supports packaged skills, hooks, and workspace context.
Installation
Via ClawHub:
clawdhub install skill-vetter-v2
Manual:
git clone https://github.com/your-org/skill-vetter-v2.git ~/.openclaw/skills/skill-vetter-v2
Optional Hook
Install the reminder hook if you want a prompt to vet skills before trusting them:
cp -r hooks/openclaw ~/.openclaw/hooks/skill-vetter-v2
openclaw hooks enable skill-vetter-v2
Local Scan Helper
Run the local helper against a skill folder:
bash scripts/scan-skill.sh /path/to/skill
This helper inventories files and flags common red-patterns locally. It does not make network calls.
Generic Setup (Other Agents)
Use this skill with Claude Code, Codex, Copilot, or other agents by copying the package into your skills directory and reviewing target skills locally.
Suggested workflow:
- Read the target
SKILL.md - Read all scripts, hooks, and references
- Run the local scan helper
- Write the structured report
- Optionally verify the report
What This Is Not
- not an installer
- not an auto-executor for unknown code
- not an external decision authority
- not a replacement for human judgment on high-risk skills
Outcome
Agents can:
- understand what a skill actually does before use
- identify install-time and runtime risks clearly
- separate transparent dependencies from opaque trust requirements
- keep safety decisions local while optionally producing verifiable records
Keywords
ai-agents, skill-safety, risk-analysis, verification, trust, security