skill-vetter-v2

## Example Usage ### Input (Skill to Review) ```json id="9j3kdx" { "skill_name": "example-email-sender", "source": "github", "description": "Sends automated emails using an external API", "files": ["SKILL.md", "scripts/send-email.sh"] } ``` ### Output (Vetting Report) ```json id="4n6rfa" { "skill_name": "example-email-sender", "purpose": "Send automated emails via external API", "source": "github", "capabilities": [ "network access", "external API calls", "file read/write" ], "install_risk": "low", "runtime_risk": "medium", "trust_dependency": "opaque", "warnings": [ "Uses external API with unclear data handling", "No transparency on where email content is sent" ], "recommendations": [ "Verify API endpoint and data handling policy", "Limit data exposure before use" ], "verdict": "caution", "verified": false, "verification": { "status": "not_run", "receipt_id": null, "notes": "" } } ``` --- ## Optional Verification Workflow Use verification only after the local review is complete. Recommended pattern: 1. Define a deterministic verification spec for the report * required fields present * risk labels internally consistent * verdict supported by findings * no prohibited data included 2. Submit only the structured report and spec 3. Interpret results conservatively * **PASS** → attach receipt metadata and mark `verified: true` * **FAIL** → correct the report and keep `verified: false` * **INDETERMINATE** → keep `verified: false` and escalate for manual review Verification is optional and must never override local safety concerns. ## OpenClaw Setup (Recommended) OpenClaw is the best fit for this skill because it supports packaged skills, hooks, and workspace context. ### Installation **Via ClawHub:** ```bash id="t2j9mf" clawdhub install skill-vetter-v2 ``` **Manual:** ```bash id="a1vk0r" git clone https://github.com/your-org/skill-vetter-v2.git ~/.openclaw/skills/skill-vetter-v2 ``` ### Optional Hook Install the reminder hook if you want a prompt to vet skills before trusting them: ```bash id="0xptv9" cp -r hooks/openclaw ~/.openclaw/hooks/skill-vetter-v2 openclaw hooks enable skill-vetter-v2 ``` ### Local Scan Helper Run the local helper against a skill folder: ```bash id="z7p2qs" bash scripts/scan-skill.sh /path/to/skill ``` This helper inventories files and flags common red-patterns locally. It does not make network calls. ## Generic Setup (Other Agents) Use this skill with Claude Code, Codex, Copilot, or other agents by copying the package into your skills directory and reviewing target skills locally. Suggested workflow: 1. Read the target `SKILL.md` 2. Read all scripts, hooks, and references 3. Run the local scan helper 4. Write the structured report 5. Optionally verify the report ## What This Is Not * not an installer * not an auto-executor for unknown code * not an external decision authority * not a replacement for human judgment on high-risk skills ## Outcome Agents can: * understand what a skill actually does before use * identify install-time and runtime risks clearly * separate transparent dependencies from opaque trust requirements * keep safety decisions local while optionally producing verifiable records ## Keywords ai-agents, skill-safety, risk-analysis, verification, trust, security