skill-vetter-v2技能安全审核

Example Usage

Input (Skill to Review)

``json id="9j3kdx" { "skill_name": "example-email-sender", "source": "github", "description": "Sends automated emails using an external API", "files": ["SKILL.md", "scripts/send-email.sh"] } CODEBLOCK0json id="4n6rfa" { "skill_name": "example-email-sender", "purpose": "Send automated emails via external API", "source": "github", "capabilities": [ "network access", "external API calls", "file read/write" ], "install_risk": "low", "runtime_risk": "medium", "trust_dependency": "opaque", "warnings": [ "Uses external API with unclear data handling", "No transparency on where email content is sent" ], "recommendations": [ "Verify API endpoint and data handling policy", "Limit data exposure before use" ], "verdict": "caution", "verified": false, "verification": { "status": "not_run", "receipt_id": null, "notes": "" } } CODEBLOCK1bash id="t2j9mf" clawdhub install skill-vetter-v2 CODEBLOCK2bash id="a1vk0r" git clone https://github.com/your-org/skill-vetter-v2.git ~/.openclaw/skills/skill-vetter-v2 CODEBLOCK3bash id="0xptv9" cp -r hooks/openclaw ~/.openclaw/hooks/skill-vetter-v2 openclaw hooks enable skill-vetter-v2 CODEBLOCK4bash id="z7p2qs" bash scripts/scan-skill.sh /path/to/skill ` This helper inventories files and flags common red-patterns locally. It does not make network calls. ## Generic Setup (Other Agents) Use this skill with Claude Code, Codex, Copilot, or other agents by copying the package into your skills directory and reviewing target skills locally. Suggested workflow: 1. Read the target SKILL.md`

1. 2. Read all scripts, hooks, and references
2. Run the local scan helper
3. Write the structured report
4. Optionally verify the report

What This Is Not

• * not an installer
• not an auto-executor for unknown code
• not an external decision authority
• not a replacement for human judgment on high-risk skills

Outcome

Agents can:

• * understand what a skill actually does before use
• identify install-time and runtime risks clearly
• separate transparent dependencies from opaque trust requirements
• keep safety decisions local while optionally producing verifiable records

Keywords

ai-agents, skill-safety, risk-analysis, verification, trust, security