skill-guard

The only pre-install security gate for ClawHub skills.

Why skill-guard?

	VirusTotal (ClawHub built-in)	skillscanner (Gen Digital)	skill-guard
When it runs	After publish (server-side)	On-demand lookup	Before install (client-side)
What it checks	Malware signatures	Their database	Actual skill content
Prompt injections	❌	❌	✅
Data exfiltration URLs	❌	❌	✅
Hidden instructions	❌	❌	✅
AI-specific threats	❌	❌	✅
Install blocking	❌	❌	✅

VirusTotal catches known malware binaries — but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->.

skillscanner checks if Gen Digital has reviewed it — but can't scan new or updated skills.

skill-guard uses Snyk Agent Scan (the renamed successor to mcp-scan) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found. If the scanner is unavailable or not configured, the wrapper now reports that separately instead of pretending the skill itself is malicious.

The Problem

Skills can contain:

• 🎭 Prompt injections — hidden "ignore previous instructions" attacks
• 💀 Malware payloads — dangerous commands disguised in natural language
• 🔑 Hardcoded secrets — API keys, tokens in plain text
• 📤 Data exfiltration — URLs that leak your conversations, memory, files
• ⛓️ Toxic flows — instructions that chain into harmful actions

One bad skill = compromised agent. Your agent trusts skills implicitly.

The Solution

# Instead of: clawhub install some-skill
./scripts/safe-install.sh some-skill

skill-guard:

1. Downloads to staging (/tmp/) — never touches your real skills folder
2. Scans with Snyk Agent Scan — Snyk's security scanner for AI agents
3. Blocks or installs — clean skills get installed, threats get quarantined

What It Catches

Real example — skill-guard flagged this malicious skill:

● [E004]: Prompt injection detected (high risk)
● [E006]: Malicious code pattern detected  
● [W007]: Insecure credential handling
● [W008]: Machine state compromise attempt
● [W011]: Third-party content exposure

VirusTotal: 0/76 engines. Snyk Agent Scan can catch what antivirus misses.

Usage

# Secure install (recommended)
./scripts/safe-install.sh <skill-slug>

# With version
./scripts/safe-install.sh <skill-slug> --version 1.2.3

# Force overwrite
./scripts/safe-install.sh <skill-slug> --force

Exit Codes

Code	Meaning	Action
0	Clean	Skill installed ✓
1	Error	Check arguments, dependencies, fetch/install flow
2	Threats found	Skill quarantined in /tmp/, review before deciding
3	Scanner unavailable	Configure SNYK_TOKEN or fix scanner setup, then rerun

When Threats Are Found

Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:

1. Review — read the scan output, inspect the files
2. Install anyway — mv /tmp/skill-guard-staging/skills/<slug> ~/.openclaw/workspace/skills/
3. Discard — rm -rf /tmp/skill-guard-staging/

Requirements

• clawhub CLI — npm i -g clawhub
• uv — curl -LsSf https://astral.sh/uv/install.sh | sh
• SNYK_TOKEN — required by Snyk Agent Scan for authenticated scanning

Why This Matters

Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:

• Read your secrets and send them elsewhere
• Modify your agent's behavior permanently
• Use your identity to spread to other systems

Trust, but verify. Scan before you install.