skillguard-check

Audit AI Skills installed on this machine against the public skill-guard

security database at https://skillguard.vip. Returns a JSON report listing

blocked and high-risk skills along with links to their public audit

pages so the user can decide what to uninstall.

When to invoke

Trigger this skill any time the user expresses concern about installed-skill

safety, or after the user installs a new skill. Concrete cues:

• "are my skills safe?", "check my installed skills", "audit my skills"
• "I just installed XYZ from ClawHub, is it ok?"
• "any malicious skills on my machine?"
• The user mentions a skill name and asks if it's trusted.
• Periodic: when no audit has been run this session and the user is doing

security-sensitive work (handling secrets, on a new machine, etc.).

How to invoke

Run the bundled script. It needs Python 3 (pre-installed on macOS / most

Linux). No network access beyond https://skillguard.vip.

python3 scripts/check.py

The script outputs a single JSON object to stdout. Sample shape:

{
  "total": 12,
  "audited": 9,
  "unauditedCount": 3,
  "blocked": [
    {
      "slug": "openclaw-omni-expert",
      "path": "/Users/x/.claude/skills/openclaw-omni-expert",
      "score": 3,
      "riskLevel": "Critical",
      "findingsCount": 155,
      "auditUrl": "https://skillguard.vip/skills/clawhub/openclaw-omni-expert"
    }
  ],
  "highRisk": [
    {
      "slug": "some-skill",
      "score": 42,
      "riskLevel": "High",
      "auditUrl": "..."
    }
  ],
  "medium": [...],
  "safe": 5,
  "unaudited": [
    {"slug": "my-private-skill", "path": "...", "reason": "not in skill-guard database"}
  ],
  "errors": []
}

How to report back to the user

After parsing the JSON:

1. If blocked is non-empty — open with `⚠️ blocked skill(s) found

on this machine.` Then for each entry, give:

• the slug + install path,
• a one-line risk summary (use riskLevel + findingsCount),
• the auditUrl so they can see findings,
• a recommendation to uninstall.

1. If highRisk is non-empty (and no blocked) — open with `Found

high-risk skill(s).` Same format but softer language: "review the audit

page and consider whether you trust the publisher".

1. If only medium/safe/unaudited — `No blocked or high-risk

skills detected.` Mention the unaudited count so the user knows some

skills couldn't be checked (private/local skills that haven't been

uploaded to skill-guard's database).

1. Always end with the auditUrl for each surfaced skill. Don't

paraphrase the audit verdict — link to the canonical page so the user

reads the real findings, not a summary.

What gets scanned

The script checks these install paths (in order):

Each immediate subdirectory is treated as one skill, named by the directory.

The script then queries https://skillguard.vip/skills/clawhub/.json

for the public audit verdict.

Skills that aren't in the public database (private skills, custom builds,

unpublished bundles) are reported under unaudited — not flagged, but

called out so the user knows they're un-audited.

Limitations

• **Only checks skills that match a slug in skill-guard's ClawHub-sourced

database.** Privately-developed skills won't have an audit. Users can run

a fresh scan via https://skillguard.vip/ (paste the GitHub URL) or

POST /v1/scan/upload with a zip.

• Uses the most recent verdict in skill-guard's DB. If a skill was

re-published on ClawHub after the last skill-guard scan, the verdict may

be stale. The audit page shows lastScannedAt for transparency.

• Slug-matching only. Two different skills with the same directory

name (e.g. github) collide. The audit URL is the source of truth — if

the displayed name doesn't match what the user installed, treat as

unaudited.