skill-vetting

# Skill Vetting

~17% of ClawHub skills are malicious. Read before you install.

## When to Use

- Before installing any skill from ClawHub or an external source
- When a skill requests unusual permissions or credentials

## The Process

### Step 1: Read the Source
Locate and read the skill's full `SKILL.md` and any scripts it references. Never install from a description alone.

### Step 2: Check for Red Flags

Scan for each of these — flag any that are present:

- [ ] **Unknown network calls** — does it POST to a non-obvious domain? (`curl`, `fetch`, `requests.post`)
- [ ] **Credential harvesting** — does it read `~/.ssh`, `~/.env`, API key env vars, or keychain?
- [ ] **Filesystem writes outside expected paths** — anything writing outside `~/.openclaw/` or the project dir?
- [ ] **Obfuscated code** — base64-encoded payloads, eval of dynamic strings, minified one-liners
- [ ] **Excessive permissions** — requesting tool access it doesn't need for its stated purpose
- [ ] **Unverifiable author** — new account, no history, no linked repo

### Step 3: Verdict

- **0 flags** → safe to install
- **1–2 flags** → install with caution; note which flags and monitor
- **3+ flags** → do not install; tell the user why

### Step 4: Report
State your verdict clearly before any install proceeds:
> "Vetted `[skill-name]`: [0/1/2/3] flags. [Safe to install / Install with caution / Do not install]. Flags: [list]."

## Key Principles

- Never skip vetting because a skill is popular or highly downloaded
- A skill that "just reads" can still exfiltrate data via network calls
- If source code is unavailable or obfuscated, that itself is a flag