Skill Safe Install (L0 Strict)
Enforce a conservative, auditable install workflow.
Purpose
Use this skill to reduce accidental or risky third-party skill installs:
- Force risk review before installation.
- Require sandbox verification before formal install.
- Require explicit user confirmation before sensitive actions.
- Avoid hidden trust escalation (no author-based bypass, no implicit allowBundled writes).
Non-negotiable rules
- Never skip steps.
- Never auto-trust by author, popularity, or “official-looking” name.
- Never modify persistent config (
openclaw.json) without explicit user consent in the current conversation. - If risk cannot be evaluated, treat as high risk and pause.
Workflow (Step 0 → Step 6)
Step 0 — Confirm target
- Resolve exact skill slug and (if available) version.
- If input is ambiguous, ask for confirmation before install.
Suggested checks:
clawhub search - Verify exact slug/version from results.
Step 1 — Duplicate/state check
- Check whether the skill is already installed.
- Check current trust state (whether already in
skills.allowBundled).
Suggested checks:
clawhub list- Read
~/.openclaw/openclaw.json (or platform-equivalent config path)
Step 2 — Mandatory security review (no whitelist bypass)
Run inspect and summarize at least:
- Maintainer/source and recent update signal
- Required secrets/credentials (API keys, OAuth, tokens)
- Network/system access scope
- Command execution or file-system mutation risk
- Persistence behavior (config edits, auto-run, always-on behavior)
Suggested check:
Risk rating rubric
- LOW: Text/process guidance only, no credentials, no system mutation.
- MEDIUM: Requires limited credentials or external API access with clear scope.
- HIGH: Broad command execution, config mutation, or multi-system OAuth.
- CRITICAL: Destructive capability, privilege escalation, stealth persistence, or unclear behavior.
Gate policy
- LOW / MEDIUM: Continue to sandbox.
- HIGH: Continue only after explicit confirmation.
- CRITICAL: Do not install by default; require explicit override and warn strongly.
Step 3 — Sandbox install (isolated workdir)
Install in a temporary isolated directory first.
- Use isolated workdir (do not install to primary skill directory yet).
- Confirm install result and basic behavior.
- If sandbox fails, stop.
Example pattern:
clawhub --workdir --dir skills install
Step 4 — User confirmation checkpoint
Before formal install, present:
- Chosen skill slug/version
- Risk rating + top risks
- Sandbox result
- Exact next action
Proceed only after explicit “yes/install/继续”.
Step 5 — Formal install
Run formal install only after Step 4 consent.
Example:
If install fails, stop and report error + rollback advice.
Step 6 — Optional trust persistence (allowBundled)
Default is do not write trust list.
Only perform this step when user explicitly asks to persist trust.
Required safeguards:
- Backup config with timestamp.
- Show exactly what key will change (
skills.allowBundled). - Append skill slug only if absent (idempotent).
- Confirm backup path and rollback command.
Do not use hidden or implicit trust writes.
Output format (required)
[Step 0/6] Target: ...[Step 1/6] State: ...[Step 2/6] Review: risk=LOW|MEDIUM|HIGH|CRITICAL; findings=...[Step 3/6] Sandbox: pass|fail[Step 4/6] Consent: pending|approved|denied[Step 5/6] Install: pass|fail[Step 6/6] Trust write: skipped|pending|written
Refusal conditions
Stop and ask for confirmation/override when any condition is met:
- Skill identity is ambiguous.
- Inspect output is unavailable or incomplete.
- Risk is HIGH/CRITICAL and user has not explicitly approved.
- Requested config mutation lacks explicit consent.