Skill Auditor
Run a structured six-step pre-install security review on any OpenClaw skill before it touches your workspace.
Overview
Skill Auditor is an agent skill most often used in Ship (also Operate) that runs a six-step pre-install security review on OpenClaw skills and produces a verdict report.
Install
npx skills add https://github.com/useai-pro/openclaw-skills-security --skill skill-auditorWhat is this skill?
- Fixed six-step review protocol with severity-based verdicts
- Checks typosquatting, dangerous permissions, prompt injection, and exfiltration patterns
- Supply-chain and dependency risk review before install
- Outputs a SKILL AUDIT REPORT with red flags and safe-run guidance
- Repeatable re-vetting when skill updates change permissions
- 6-step structured review protocol
- Produces a SKILL AUDIT REPORT with severity-based verdicts
- Documented auditor trust-score metadata in skill frontmatter
Adoption & trust: 581 installs on skills.sh; 62 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You found a useful-looking agent skill but have no structured way to judge typosquatting, over-permissioning, or prompt-injection risk before install.
Who is it for?
Builders who install community OpenClaw skills and want a repeatable vetting ritual before granting file, network, or shell access.
Skip if: Teams that only use first-party, internally authored skills with no external packages—or when you need live runtime monitoring instead of pre-install static review.
When should I use this skill?
You need to decide whether a new skill is safe to install, or when a skill update changes permissions and you want repeatable re-vetting.
What do I get? / Deliverables
You get a SKILL AUDIT REPORT with severity-ranked red flags, install/block guidance, and a safe-run plan so only vetted skills enter the workspace.
- SKILL AUDIT REPORT with verdict and red flags
- Install or sandbox guidance
- Safe-run plan
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Installing third-party agent skills is a launch-risk moment; canonical placement is Ship → Security because vetting happens immediately before trust and execution. Subphase security matches pre-install threat modeling, permission scoping, and supply-chain checks—not post-deploy monitoring.
Where it fits
Audit a trending marketplace skill for shell and network flags before adding it to your coding agent.
Re-run the six-step protocol when a installed skill ships a minor version that adds file-write permissions.
Compare two competing integration skills and block the one with exfiltration patterns in embedded prompts.
How it compares
Use as a structured pre-install gate instead of trusting README marketing or download counts alone.
Common Questions / FAQ
Who is skill-auditor for?
Solo and indie builders using OpenClaw (and similar agent stacks) who install third-party skills and need evidence-based safety decisions before execution.
When should I use skill-auditor?
Before first install of a new skill, after any update that changes permissions or dependencies, and whenever reputation alone feels insufficient—especially in Ship security and Operate iterate when you re-evaluate workspace tooling.
Is skill-auditor safe to install?
Review the Security Audits panel on this Prism page for published trust scores and audit metadata; the skill is designed as a read-oriented auditor, but you should still confirm declared permissions match your threat model.
SKILL.md
READMESKILL.md - Skill Auditor
# Skill Auditor You are a security auditor for OpenClaw skills. Before the user installs any skill, you vet it for safety using a structured 6-step protocol. **One-liner:** Give me a skill (URL / file / paste) → I give you a verdict with evidence. ## When to Use - Before installing a new skill from ClawHub, GitHub, or any source - When reviewing a SKILL.md someone shared - During periodic audits of already-installed skills - When a skill update changes permissions ## Audit Protocol (6 steps) ### Step 1: Metadata & Typosquat Check Read the skill's SKILL.md frontmatter and verify: - [ ] `name` matches the expected skill (no typosquatting) - [ ] `version` follows semver - [ ] `description` matches what the skill actually does - [ ] `author` is identifiable **Typosquat detection** (8 of 22 known malicious skills were typosquats): | Technique | Legitimate | Typosquat | |---|---|---| | Missing char | github-push | gihub-push | | Extra char | lodash | lodashs | | Char swap | code-reviewer | code-reveiw | | Homoglyph | babel | babe1 (L→1) | | Scope confusion | @types/node | @tyeps/node | | Hyphen trick | react-dom | react_dom | ### Step 2: Permission Analysis Evaluate each requested permission: | Permission | Risk | Justification Required | |---|---|---| | `fileRead` | Low | Almost always legitimate | | `fileWrite` | Medium | Must explain what files are written | | `network` | High | Must list exact endpoints | | `shell` | Critical | Must list exact commands | **Dangerous combinations — flag immediately:** | Combination | Risk | Why | |---|---|---| | `network` + `fileRead` | CRITICAL | Read any file + send it out = exfiltration | | `network` + `shell` | CRITICAL | Execute commands + send output externally | | `shell` + `fileWrite` | HIGH | Modify system files + persist backdoors | | All four permissions | CRITICAL | Full system access without justification | **Over-privilege check:** Compare requested permissions against the skill's description. A "code reviewer" needs `fileRead` — not `network + shell`. ### Step 3: Dependency Audit If the skill installs packages (`npm install`, `pip install`, `go get`): - [ ] Package name matches intent (not typosquat) - [ ] Publisher is known, download count reasonable - [ ] No `postinstall` / `preinstall` scripts (these execute with full system access) - [ ] No unexpected imports (`child_process`, `net`, `dns`, `http`) - [ ] Source not obfuscated/minified - [ ] Not published very recently (<1 week) with minimal downloads - [ ] No recent owner transfer **Severity:** - CVSS 9.0+ (Critical): Do not install - CVSS 7.0-8.9 (High): Only if patched version availabl