A security gate for OpenClaw AgentSkills powered by the cisco-ai-defense/skill-scanner engine.
This skill provides a robust mechanism to scan, validate, and manage the security of OpenClaw skills. It enforces a strict policy: blocking installations with High or Critical severity findings while allowing others with explicit warnings.
- Pre-install Scanning: Scan local folders or ClawHub skills before they are added to your environment.
- Automated Monitoring: Systemd user units to automatically scan
~/.openclaw/skillson every change. - Auto-Quarantine: Automatically moves high-risk skills to
~/.openclaw/skills-quarantineto prevent execution. - Detailed Reporting: Generates Markdown risk reports for every scan.
cd "$HOME/.openclaw/workspace"
git clone https://github.com/cisco-ai-defense/skill-scanner
cd skill-scanner
CC=gcc uv sync --all-extras# Scan a folder and install if safe
./scripts/scan_and_add_skill.sh /path/to/skill-dir
# Install from ClawHub with a scan gate
./scripts/clawhub_scan_install.sh <slug>mkdir -p ~/.config/systemd/user
cp -a references/openclaw-skill-scan.* ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable --now openclaw-skill-scan.path- Critical/High: Installation blocked; skill quarantined (if auto-scan is enabled).
- Medium/Low/Info: Installation allowed with a warning summary.
- ClawHub: skill-scanner-guard
- Source: jason-allen-oneal/openclaw-skill-scanner