skillgate-gov

Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skillgate-gov" with this command: npx skills add liyecom/skillgate-gov

SkillGate (Governance)

This skill teaches OpenClaw how to run SkillGate against a skills directory, generate evidence, and quarantine risky skills.

Quick Start (recommended)

We intentionally avoid global installs (npm i -g) to reduce supply-chain risk. Use a pinned version via npx for deterministic behavior.

# Scan current workspace (read-only by default)
npx --yes @skillgate/openclaw-skillgate@0.1.3 gov_scan .

# Show a human-readable explanation for a finding
npx --yes @skillgate/openclaw-skillgate@0.1.3 gov_explain <EVIDENCE_JSON_PATH>

Provenance / How to verify what you run

# Verify package metadata
npm view @skillgate/openclaw-skillgate@0.1.3 name version license repository
npm view @skillgate/openclaw-skillgate@0.1.3 dist.tarball dist.integrity

# Optional: verify GitHub release & source
# Repo: https://github.com/skillgatesecurity/openclaw-skillgate

This package is published under the official @skillgate scope and built/released via GitHub Actions.

Permissions & Filesystem scope

  • Network: not required for scanning local files (except fetching the npm package on first run).
  • Default mode: read-only scan of the given directory.
  • Writes (only when you explicitly run quarantine/restore commands):
    • creates/updates evidence outputs under a local folder (e.g. .skillgate/ or the specified output path)
    • may quarantine a skill by moving/marking files within the target directory you pass in

It does not require secrets (no tokens/keys) and does not modify system-wide settings.

OpenClaw Plugin Commands

Once loaded as an OpenClaw plugin, these slash commands become available:

# scan all skills for risks (default: HIGH+)
/gov scan

# scan with all findings including LOW/INFO
/gov scan --all

# quarantine a specific skill
/gov quarantine <skillKey>

# restore a quarantined skill
/gov restore <skillKey>

# explain why a skill was flagged
/gov explain <skillKey>

# show governance status
/gov status

Risk Levels

LevelAuto ActionDescription
CRITICALQuarantineShell injection, supply-chain attacks
HIGHDisableDangerous patterns, external downloads
MEDIUMWarnRisky but not immediately dangerous
LOW/INFOLogInformational only

Local Development (optional)

If you prefer a local dependency instead of npx:

npm i -D @skillgate/openclaw-skillgate@0.1.3
npx gov_scan .

Notes

Use this as the standard operating procedure for Skill supply-chain reviews.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Web3

Polymarket Aionmarket Trader

Place Polymarket trades through Aionmarket. Use when the user wants to search prediction markets, register wallet credentials, verify a wallet, or submit a P...

Registry SourceRecently Updated
00fivegive249-ship-it
Web3

Power Automate Build

Build, scaffold, and deploy Power Automate cloud flows using the FlowStudio MCP server. Your agent constructs flow definitions, wires connections, deploys, a...

Registry SourceRecently Updated
3540ninihen1
Web3

Gasless Crosschain Executor

local-key swap planning and execution skill. Cross-chain (1inch Fusion+, gasless), same-chain gasless (1inch Fusion), and same-chain paid (1inch Aggregation...

Registry SourceRecently Updated
00Profile unavailable
Web3

Simmer Wallet Setup

Self-custody wallet setup for Simmer agents. Choose OWS (recommended — encrypted local vault, multi-chain, policy controls) or external raw key (existing set...

Registry SourceRecently Updated
00Profile unavailable