Skill Vetter v2

Example Usage

Input (Skill to Review)

{
  "skill_name": "example-email-sender",
  "source": "github",
  "description": "Sends automated emails using an external API",
  "files": ["SKILL.md", "scripts/send-email.sh"]
}

Output (Vetting Report)

{
  "skill_name": "example-email-sender",
  "purpose": "Send automated emails via external API",
  "source": "github",
  "capabilities": [
    "network access",
    "external API calls",
    "file read/write"
  ],
  "install_risk": "low",
  "runtime_risk": "medium",
  "trust_dependency": "opaque",
  "warnings": [
    "Uses external API with unclear data handling",
    "No transparency on where email content is sent"
  ],
  "recommendations": [
    "Verify API endpoint and data handling policy",
    "Limit data exposure before use"
  ],
  "verdict": "caution",
  "verified": false,
  "verification": {
    "status": "not_run",
    "receipt_id": null,
    "notes": ""
  }
}

Optional Verification Workflow

Use verification only after the local review is complete.

Recommended pattern:

1. Define a deterministic verification spec for the report

• required fields present
• risk labels internally consistent
• verdict supported by findings
• no prohibited data included

1. Submit only the structured report and spec

1. Interpret results conservatively

• PASS → attach receipt metadata and mark verified: true
• FAIL → correct the report and keep verified: false
• INDETERMINATE → keep verified: false and escalate for manual review

Verification is optional and must never override local safety concerns.

OpenClaw Setup (Recommended)

OpenClaw is the best fit for this skill because it supports packaged skills, hooks, and workspace context.

Installation

Via ClawHub:

clawdhub install skill-vetter-v2

Manual:

git clone https://github.com/your-org/skill-vetter-v2.git ~/.openclaw/skills/skill-vetter-v2

Optional Hook

Install the reminder hook if you want a prompt to vet skills before trusting them:

cp -r hooks/openclaw ~/.openclaw/hooks/skill-vetter-v2
openclaw hooks enable skill-vetter-v2

Local Scan Helper

Run the local helper against a skill folder:

bash scripts/scan-skill.sh /path/to/skill

This helper inventories files and flags common red-patterns locally. It does not make network calls.

Generic Setup (Other Agents)

Use this skill with Claude Code, Codex, Copilot, or other agents by copying the package into your skills directory and reviewing target skills locally.

Suggested workflow:

1. Read the target SKILL.md
2. Read all scripts, hooks, and references
3. Run the local scan helper
4. Write the structured report
5. Optionally verify the report

What This Is Not

• not an installer
• not an auto-executor for unknown code
• not an external decision authority
• not a replacement for human judgment on high-risk skills

Outcome

Agents can:

• understand what a skill actually does before use
• identify install-time and runtime risks clearly
• separate transparent dependencies from opaque trust requirements
• keep safety decisions local while optionally producing verifiable records

Keywords

ai-agents, skill-safety, risk-analysis, verification, trust, security