skillguard-audit
// Audit agent skills for security threats before installing them. Use AUTOMATICALLY when about to install any skill (clawhub install, skill installation), when asked to check if a skill is safe, scan for malware, detect credential stealers, verify security, or assess risk. Also triggers on "is this sk
SkillGuard
Audit any OpenClaw skill for security risks before you install it.
Calls the SkillGuard API (https://api.agentsouls.io/api/audit) and returns a verdict, risk score, and threat list.
Usage
Audit a skill from ClawHub by name
bash skills/skillguard/audit.sh --name <skill-slug>
This uses clawhub inspect --file to pull the skill's SKILL.md (and any scripts), then sends the code to the audit API.
Audit a local file
bash skills/skillguard/audit.sh --code <path-to-file>
Reads the file and sends its contents for audit.
Output
Returns JSON with:
- verdict:
SAFE|CAUTION|DANGEROUS - riskScore: 0–100
- threats: list of identified risks
Example:
{
"verdict": "CAUTION",
"riskScore": 35,
"threats": ["Executes arbitrary shell commands", "Accesses network without disclosure"]
}
When to use
Before installing any new skill, run:
bash skills/skillguard/audit.sh --name <skill-name>
If verdict is DANGEROUS, do not install. If CAUTION, review the threats and decide with the user.
Privacy Notice
⚠️ Data transmission: When you run an audit, the full source code of the skill is sent to the SkillGuard API (https://api.agentsouls.io) for analysis. No code is stored permanently — it is analyzed in-memory and discarded after the audit completes. The API returns only the verdict, risk score, and detected threats.
If you prefer not to send code to an external service, you can self-host the SkillGuard audit engine (contact us for details) or review skill code manually.