skill-guard
The only pre-install security gate for ClawHub skills.
Why skill-guard?
| VirusTotal (ClawHub built-in) | skillscanner (Gen Digital) | skill-guard |
|---|
| When it runs | After publish (server-side) | On-demand lookup | Before install (client-side) |
| What it checks |
Malware signatures | Their database |
Actual skill content |
|
Prompt injections | ❌ | ❌ | ✅ |
|
Data exfiltration URLs | ❌ | ❌ | ✅ |
|
Hidden instructions | ❌ | ❌ | ✅ |
|
AI-specific threats | ❌ | ❌ | ✅ |
|
Install blocking | ❌ | ❌ | ✅ |
VirusTotal catches known malware binaries — but won't flag <!-- IGNORE PREVIOUS INSTRUCTIONS -->.
skillscanner checks if Gen Digital has reviewed it — but can't scan new or updated skills.
skill-guard uses mcp-scan (Invariant Labs, acquired by Snyk) to analyze what's actually in the skill, catches AI-specific threats, and blocks install if issues are found.
The Problem
Skills can contain:
- - 🎭 Prompt injections — hidden "ignore previous instructions" attacks
- 💀 Malware payloads — dangerous commands disguised in natural language
- 🔑 Hardcoded secrets — API keys, tokens in plain text
- 📤 Data exfiltration — URLs that leak your conversations, memory, files
- ⛓️ Toxic flows — instructions that chain into harmful actions
One bad skill = compromised agent. Your agent trusts skills implicitly.
The Solution
CODEBLOCK0
skill-guard:
- 1. Downloads to staging (
/tmp/) — never touches your real skills folder - Scans with mcp-scan — Invariant/Snyk's security scanner for AI agents
- Blocks or installs — clean skills get installed, threats get quarantined
What It Catches
Real example — skill-guard flagged this malicious skill:
CODEBLOCK1
VirusTotal: 0/76 engines. mcp-scan caught what antivirus missed.
Usage
CODEBLOCK2
Exit Codes
| Code | Meaning | Action |
|---|
| INLINECODE2 | Clean | Skill installed ✓ |
| INLINECODE3 |
Error | Check dependencies/network |
|
2 | Threats found | Skill quarantined in
/tmp/, review before deciding |
When Threats Are Found
Skill stays in /tmp/skill-guard-staging/skills/<slug>/ (quarantined). You can:
- 1. Review — read the scan output, inspect the files
- Install anyway — �INLINECODE7
- Discard — �INLINECODE8
Requirements
- -
clawhub CLI — �INLINECODE10 - INLINECODE11� — �INLINECODE12
Why This Matters
Your agent has access to your files, messages, maybe your whole machine. One malicious skill can:
- - Read your secrets and send them elsewhere
- Modify your agent's behavior permanently
- Use your identity to spread to other systems
Trust, but verify. Scan before you install.
skill-guard
ClawHub技能的唯一预装安全门。
为什么需要skill-guard?
| VirusTotal(ClawHub内置) | skillscanner(Gen Digital) | skill-guard |
|---|
| 运行时机 | 发布后(服务端) | 按需查询 | 安装前(客户端) |
| 检查内容 |
恶意软件签名 | 他们的数据库 |
实际技能内容 |
|
提示注入 | ❌ | ❌ | ✅ |
|
数据外泄URL | ❌ | ❌ | ✅ |
|
隐藏指令 | ❌ | ❌ | ✅ |
|
AI特定威胁 | ❌ | ❌ | ✅ |
|
阻止安装 | ❌ | ❌ | ✅ |
VirusTotal 能捕获已知恶意软件二进制文件——但不会标记 。
skillscanner 检查Gen Digital是否已审核该技能——但无法扫描新技能或更新后的技能。
skill-guard 使用 mcp-scan(Invariant Labs开发,已被Snyk收购)分析技能的实际内容,捕获AI特定威胁,并在发现问题时阻止安装。
问题所在
技能可能包含:
- - 🎭 提示注入——隐藏的忽略先前指令攻击
- 💀 恶意软件载荷——伪装在自然语言中的危险命令
- 🔑 硬编码密钥——明文API密钥、令牌
- 📤 数据外泄——泄露你的对话、记忆、文件的URL
- ⛓️ 有害流程——链式触发有害行为的指令
一个坏技能 = 代理被攻破。 你的代理会无条件信任技能。
解决方案
bash
替代:clawhub install some-skill
./scripts/safe-install.sh some-skill
skill-guard:
- 1. 下载到暂存区(/tmp/)——绝不触碰你的真实技能文件夹
- 使用mcp-scan扫描——Invariant/Snyk为AI代理开发的安全扫描器
- 阻止或安装——干净的技能被安装,威胁被隔离
它能捕获什么
真实案例——skill-guard标记了以下恶意技能:
● [E004]:检测到提示注入(高风险)
● [E006]:检测到恶意代码模式
● [W007]:不安全的凭据处理
● [W008]:尝试破坏机器状态
● [W011]:第三方内容泄露
VirusTotal:0/76个引擎。mcp-scan捕获了杀毒软件遗漏的威胁。
使用方法
bash
安全安装(推荐)
./scripts/safe-install.sh <技能标识>
指定版本
./scripts/safe-install.sh <技能标识> --version 1.2.3
强制覆盖
./scripts/safe-install.sh <技能标识> --force
退出代码
错误 | 检查依赖/网络 |
| 2 | 发现威胁 | 技能已隔离至 /tmp/,请审核后再决定 |
发现威胁时
技能保留在 /tmp/skill-guard-staging/skills/<标识>/(隔离区)。你可以:
- 1. 审核——阅读扫描输出,检查文件
- 仍要安装——mv /tmp/skill-guard-staging/skills/<标识> ~/.openclaw/workspace/skills/
- 丢弃——rm -rf /tmp/skill-guard-staging/
系统要求
- - clawhub CLI——npm i -g clawhub
- uv——curl -LsSf https://astral.sh/uv/install.sh | sh
为什么这很重要
你的代理可以访问你的文件、消息,甚至整个机器。一个恶意技能就能:
- - 读取你的密钥并将其发送到别处
- 永久修改你代理的行为
- 利用你的身份传播到其他系统
信任,但需验证。 安装前先扫描。
