skillgate-gov

Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "skillgate-gov" with this command: npx skills add liyecom/skillgate-gov

SkillGate (Governance)

This skill teaches OpenClaw how to run SkillGate against a skills directory, generate evidence, and quarantine risky skills.

Quick Start (recommended)

We intentionally avoid global installs (npm i -g) to reduce supply-chain risk. Use a pinned version via npx for deterministic behavior.

# Scan current workspace (read-only by default)
npx --yes @skillgate/openclaw-skillgate@0.1.3 gov_scan .

# Show a human-readable explanation for a finding
npx --yes @skillgate/openclaw-skillgate@0.1.3 gov_explain <EVIDENCE_JSON_PATH>

Provenance / How to verify what you run

# Verify package metadata
npm view @skillgate/openclaw-skillgate@0.1.3 name version license repository
npm view @skillgate/openclaw-skillgate@0.1.3 dist.tarball dist.integrity

# Optional: verify GitHub release & source
# Repo: https://github.com/skillgatesecurity/openclaw-skillgate

This package is published under the official @skillgate scope and built/released via GitHub Actions.

Permissions & Filesystem scope

  • Network: not required for scanning local files (except fetching the npm package on first run).
  • Default mode: read-only scan of the given directory.
  • Writes (only when you explicitly run quarantine/restore commands):
    • creates/updates evidence outputs under a local folder (e.g. .skillgate/ or the specified output path)
    • may quarantine a skill by moving/marking files within the target directory you pass in

It does not require secrets (no tokens/keys) and does not modify system-wide settings.

OpenClaw Plugin Commands

Once loaded as an OpenClaw plugin, these slash commands become available:

# scan all skills for risks (default: HIGH+)
/gov scan

# scan with all findings including LOW/INFO
/gov scan --all

# quarantine a specific skill
/gov quarantine <skillKey>

# restore a quarantined skill
/gov restore <skillKey>

# explain why a skill was flagged
/gov explain <skillKey>

# show governance status
/gov status

Risk Levels

LevelAuto ActionDescription
CRITICALQuarantineShell injection, supply-chain attacks
HIGHDisableDangerous patterns, external downloads
MEDIUMWarnRisky but not immediately dangerous
LOW/INFOLogInformational only

Local Development (optional)

If you prefer a local dependency instead of npx:

npm i -D @skillgate/openclaw-skillgate@0.1.3
npx gov_scan .

Notes

Use this as the standard operating procedure for Skill supply-chain reviews.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Web3

asndurl

Make HTTP requests to x402-enabled APIs with automatic payment handling via Ampersend wallet

Registry SourceRecently Updated
0149
matiasedgeandnode
Web3

AgentHub - 32 AI APIs via x402

Call 32 real-world APIs — flights, hotels, weather, crypto prices, DeFi yields, stock quotes, web search, geocoding, IP reputation, blockchain data, code exe...

Registry SourceRecently Updated
0146
marcelo-rowship
Web3

Nansen Wallet

Wallet management — create, list, show, export, send, delete. Use when creating wallets, checking balances, or sending tokens.

Registry SourceRecently Updated
1162
Profile unavailable