How does typosquatting detection work in this skill?

It compares the requested skill name against known legitimate patterns to identify character swaps, missing letters, or homoglyphs that might trick a user into installing a fake skill.

Why should I vet a Claude Code skill before installing it?

Vetting is essential to prevent malicious skills from accessing sensitive system files, executing unauthorized shell commands, or exfiltrating private data via network requests.

Can this audit skills from sources other than GitHub?

Yes, it is designed to vet skills from ClawHub, local file shares, and any other external source where a SKILL.md file is provided.

Does the vetting process happen automatically?

It provides a structured manual-first audit flow, giving the operator a detailed checklist and report to make the final install-or-block decision.

What are the most dangerous red flags this skill identifies?

The vetter specifically flags combinations of 'network' and 'shell' permissions, references to credential directories like ~/.ssh or ~/.aws, and the use of obfuscated strings.

Security Skill Vetter

Name: Security Skill Vetter
Author: 812lcl

by812lcl

0•

Security & Testing

Performs security-first audits of Claude Code skills to detect suspicious patterns, excessive permissions, and potential threats before installation.

Security Skill Vetter provides a rigorous, manual-first security review framework for OpenClaw skills, enabling developers and operators to audit third-party code from ClawHub, GitHub, or local sources. It systematically evaluates metadata for typosquatting, analyzes permission scopes—specifically flagging dangerous combinations like simultaneous shell and network access—and scans for critical red flags such as hardcoded credentials or obfuscated commands. By producing a standardized vetting report with clear safety verdicts, it empowers users to maintain a secure AI development environment and make informed decisions about which external capabilities to trust.

Key Features

010 GitHub stars

02Typosquatting detection to prevent installation of look-alike malicious skills

03Source-based trust hierarchy evaluation for community and official skills

04Critical red-flag scanning for SSH keys, AWS credentials, and obfuscated code

05Structured vetting reports with clear SAFE, WARNING, or DANGER verdicts

06Comprehensive permission scope analysis for network and shell access

Use Cases

01Performing periodic safety reviews of currently installed skills in your environment

02Auditing a new skill from an unverified GitHub repository before installation

03Verifying the legitimacy of skills shared within community forums or third-party marketplaces

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add 812lcl/dotfiles skill-vetter

For use in Claude.ai and ChatGPT