Skill Vetting Checklist: 5-Minute Review Before Installing an OpenClaw Skill
This is a short, repeatable process you can run before installing any OpenClaw skill from ClawHub or GitHub.
If you prefer “one click”: start with the Skill Verifier and the Verified Skills catalog.
Step 1: Read the permissions like a threat model
Ask: “What damage can this skill do with these permissions?”
Reference: /guides/permissions-explained
Fast flags:
fileRead+network(exfiltration possible)- any
shell(treat as RCE) - “simple tool” that requests broad permissions
Step 2: Skim the SKILL.md for intent mismatch
Look for:
- vague descriptions (“improves everything”)
- unclear inputs/outputs (“just run it”)
- no explanation of why network/shell is required
Step 3: Scan for obvious exfiltration patterns
If you have the skill content locally, run a quick grep for common red flags:
rg -n \"(curl|wget|nc |ncat|bash -c|sh -c|powershell|Invoke-WebRequest|base64|chmod\\s\\+x|ssh |scp |token|secret|\\.env|AWS_|GITHUB_|OPENAI_|ANTHROPIC_)\" .This is not perfect. It is a cheap filter that catches common malware families.
Step 4: Prompt injection check (hidden instructions)
Even “documentation-only” content can contain injection attempts:
- “ignore previous instructions”
- “system: you are now…”
- base64 blobs that decode into instructions
- HTML comments with hidden directives
Guide: /guides/prompt-injection-examples
Step 5: Sandbox dry-run (recommended)
If the skill is at all risky:
- Run in a sandbox: /guides/sandbox-setup
- Default to no-network
- Use a throwaway repo (no secrets, no SSH keys)
Step 6: Decide with a simple policy
- If it needs
shellor broad file access: only install if you can justify it and isolate it. - If it needs network: require a domain allowlist: /guides/network-allowlist
- If you are unsure: don’t install. Use a verified alternative.
Done (definition of done)
You can say “this is vetted” when:
- permissions match intent
- no obvious exfiltration/persistence patterns
- sandbox run does not show suspicious behavior