skill-vetting
Reviews a ClawHub skill's source code for security risks before installation. Use before installing any new skill.
git clone --depth 1 https://github.com/ArchieIndian/openclaw-superpowers /tmp/skill-vetting && cp -r /tmp/skill-vetting/skills/core/skill-vetting ~/.claude/skills/skill-vettingSKILL.md
# Skill Vetting ~17% of ClawHub skills are malicious. Read before you install. ## When to Use - Before installing any skill from ClawHub or an external source - When a skill requests unusual permissions or credentials ## The Process ### Step 1: Read the Source Locate and read the skill's full `SKILL.md` and any scripts it references. Never install from a description alone. ### Step 2: Check for Red Flags Scan for each of these — flag any that are present: - [ ] **Unknown network calls** — does it POST to a non-obvious domain? (`curl`, `fetch`, `requests.post`) - [ ] **Credential harvesting** — does it read `~/.ssh`, `~/.env`, API key env vars, or keychain? - [ ] **Filesystem writes outside expected paths** — anything writing outside `~/.openclaw/` or the project dir? - [ ] **Obfuscated code** — base64-encoded payloads, eval of dynamic strings, minified one-liners - [ ] **Excessive permissions** — requesting tool access it doesn't need for its stated purpose - [ ] **Unverifiable author** — new account, no history, no linked repo ### Step 3: Verdict - **0 flags** → safe to install - **1–2 flags** → install with caution; note which flags and monitor - **3+ flags** → do not install; tell the user why ### Step 4: Report State your verdict clearly before any install proceeds: > "Vetted `[skill-name]`: [0/1/2/3] flags. [Safe to install / Install with caution / Do not install]. Flags: [list]." ## Key Principles - Never skip vetting because a skill is popular or highly downloaded - A skill that "just reads" can still exfiltrate data via network calls - If source code is unavailable or obfuscated, that itself is a flag
Syncs agent daily memory and MEMORY.md to an Obsidian vault so notes are human-browsable. Use nightly or on demand.
Structured ideation before any implementation. Use when starting any non-trivial task.
Scaffolds and validates new superpowers skills. Use when creating a new skill for this repository.
Executes plans task-by-task with verification. Use when implementing a plan.
Triggers a secondary verification pass for any agent output containing factual claims, numbers, dates, or named entities before the output is acted on
Crawls a new codebase to infer stack, conventions, and key invariants, then generates a PROJECT.md context file for the agent
Handles PR review feedback by fetching comments, grouping issues, fixing one group at a time, and verifying before replies.
Detects skill name shadowing and description-overlap conflicts that cause OpenClaw to trigger the wrong skill or silently ignore one when two skills compete for the same intent.