Skill Vetter
Security-first vetting protocol for AI agent skills — checks for red flags, permission scope, and suspicious patterns before you install anything.
# Skill Vetter Security-first vetting protocol for AI agent skills — checks for red flags, permission scope, and suspicious patterns before you install anything. Skill Vetter is a security-first vetting protocol that reviews AI agent skills before installation. It provides a structured checklist covering source verification, mandatory code review, permission scope analysis, and risk classification — ensuring you never install a compromised or overly-permissive skill. ## How It Works The vetting process follows four steps: (1) Source Check to verify the author's reputation and the skill's download stats, (2) a mandatory Code Review that reads all files and flags red-flag patterns like credential access, obfuscated code, and external data exfiltration, (3) Permission Scope evaluation to ensure the skill requests only what it needs, and (4) Risk Classification that assigns a severity level from Low to Extreme with recommended actions. ## Key Features - **Source Verification**: Checks author reputation, download count, last update date, and community reviews - **Red Flag Detection**: Scans for credential theft, external data sends, obfuscated code, base64 decoding, eval/exec usage, and unauthorized file access - **Permission Scope Analysis**: Evaluates file, network, and command permissions against the skill's stated purpose - **Risk Classification**: Four-tier system (Low, Medium, High, Extreme) with clear action recommendations for each level - **Trust Hierarchy**: Adjusts scrutiny level based on source: official skills get less, unknown sources get maximum - **Structured Report Output**: Produces a standardized vetting report with metrics, red flags, permissions, risk level, and verdict ## Requirements - **No API keys or external dependencies required**: The skill operates as a vetting protocol for your AI agent. Optional GitHub API queries can be used to check repo stats for GitHub-hosted skills. ## Use Cases - **Pre-Installation Review**: Vet any skill from ClawHub, GitHub, or other sources before installing - **Team Security Policy**: Establish a consistent security standard for skill installation across your organization - **Skill Auditing**: Review already-installed skills for potential security issues - **Third-Party Evaluation**: Evaluate skills shared by other agents or from unknown repositories ## Installation Install via: `npx clawhub@latest install skill-vetter`
Instalação
Execute no seu terminal
npx clawhub@latest install skill-vetterClique no botão Instalar no topo desta página para configuração com um clique