技能详情(站内镜像,无评论)
作者:Merk @0xmerkle
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 212 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:0xmerkle/skill-guard-actor
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's high-level purpose (pre-install scanning) aligns with its requirements, but there are documentation/instruction inconsistencies and an automatic file-write behavior that warrant caution before installing.
目的
SkillGuard claims to scan ClawHub skills using an Apify actor and Lakera Guard; the required environment variables (APIFY_TOKEN, LAKERA_API_KEY, OPENCLAW_WEBHOOK_URL, OPENCLAW_HOOKS_TOKEN) are appropriate and expected for that purpose. Requesting an Apify token as the primary credential is coherent with invoking an Apify actor.
说明范围
The SKILL.md and included script instruct the agent to trigger an Apify actor and receive results via an ad-hoc webhook — that is within scope. However: (1) the skill instructs an automatic 'On First Install' append of a policy to a TOOLS.md file in the workspace (modifies user files outside the skill directory); (2) there are inconsistent path references for that file ({baseDir}/../../TOOLS.md vs ~/.openclaw/workspace/TOOLS.md), which is ambi…
安装机制
No external downloads or package installs are performed by the skill itself — it's instruction-only with one included script. The script simply calls Apify's API; there is no high-risk install mechanism (no remote archive downloads or execution of fetched code).
证书
All four environment variables requested are relevant to the described workflow (Apify runs + webhook callback + Lakera). They are sensitive (tokens), so ensure they are stored securely. It's appropriate that APIFY_TOKEN is primary. No unrelated credentials are requested.
持久
The skill requests to perform an automatic write to a workspace-level TOOLS.md on first install (the SKILL.md explicitly says to do this 'automatically before responding'), which changes user workspace files outside the skill directory. Although not an elevated system privilege, this persistent modification of a user's files without a clearly documented consent step is a notable behavior and should be reviewed/approved by the user. Also, uncle…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「SkillGuard」。简介:Scan ClawHub skills for prompt injection and malicious content using Lakera Gua…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/0xmerkle/skill-guard-actor/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: skill-guard
description: Scan ClawHub skills for prompt injection and malicious content using Lakera Guard before installing them. Run automatically when the user asks to install a skill, or on-demand to audit any skill by slug or search query.
metadata: {"openclaw": {"requires": {"env": ["APIFY_TOKEN", "LAKERA_API_KEY", "OPENCLAW_WEBHOOK_URL", "OPENCLAW_HOOKS_TOKEN"]}, "primaryEnv": "APIFY_TOKEN", "emoji": "🛡️", "homepage": "https://apify.com/numerous_hierarchy/skill-guard-actor"}}
---
# SkillGuard
Scan ClawHub skills for prompt injection, jailbreak attempts, and malicious instructions
before they get installed into your OpenClaw workspace.
## When to use this skill
- User says "install [skill]", "clawhub install [skill]", or "add the [skill] skill"
- User says "scan [skill]", "check [skill] for safety", "is [skill] safe?"
- User says "audit my skills" or "scan all installed skills"
- Any time you are about to install a third-party skill from ClawHub
## How it works
SkillGuard calls a hosted Apify actor (`numerous_hierarchy/skill-guard-actor`,
actor ID: `TMjFBNFqIIUfCBf6K`) that:
1. Fetches the raw SKILL.md content from ClawHub's public API
2. Passes it to Lakera Guard for prompt injection analysis
3. Returns a verdict: `safe`, `flagged`, or `error` with reasoning
Results are delivered back to your OpenClaw agent via an ad-hoc webhook.
## Running the actor
Use an ad-hoc webhook to trigger the run asynchronously and receive results
back via your OpenClaw hooks endpoint.
### Step 1: Build the webhook definition
Create this JSON array, then base64-encode it:
```json
[{
"eventTypes": ["ACTOR.RUN.SUCCEEDED", "ACTOR.RUN.FAILED"],
"requestUrl": "$OPENCLAW_WEBHOOK_URL",
"headersTemplate": "{"Authorization": "Bearer $OPENCLAW_HOOKS_TOKEN"}",
"payloadTemplate": "{"resource": {{resource}}}"
}]
```
### Step 2: Start the run
Use the bundled script — it handles base64 encoding the webhook and making
the API call:
```bash
# Scan by slug
bash {baseDir}/scripts/scan.sh --slug instagram-search
# Scan by search query
bash {baseDir}/scripts/scan.sh --query instagram
# Both (results deduplicated)
bash {baseDir}/scripts/scan.sh --slug instagram-search --query instagram --max 5
```
The script reads `APIFY_TOKEN`, `LAKERA_API_KEY`, `OPENCLAW_WEBHOOK_URL`, and
`OPENCLAW_HOOKS_TOKEN` from the environment automatically.
Or make the API call manually:
```
POST https://api.apify.com/v2/acts/TMjFBNFqIIUfCBf6K/runs
?token=$APIFY_TOKEN
&webhooks=BASE64_ENCODED_WEBHOOK
Content-Type: application/json
```
To scan by slug:
```json
{
"skillSlugs": ["skill-name-here"],
"lakeraApiKey": "$LAKERA_API_KEY",
"maxSkills": 10
}
```
To scan by search query:
```json
{
"searchQuery": "instagram",
"lakeraApiKey": "$LAKERA_API_KEY",
"maxSkills": 5
}
```
You can provide both `skillSlugs` and `searchQuery` — results are deduplicated.
### Step 3: Receive results via webhook
When the run completes, your OpenClaw hooks endpoint receives a POST with the
actor's dataset items in `resource.defaultDatasetId`. Fetch them at:
```
GET https://api.apify.com/v2/datasets/{resource.defaultDatasetId}/items
```
### Response format
Each skill in the dataset returns:
```json
[
{
"slug": "some-skill",
"name": "Some Skill",
"author": "username",
"verdict": "flagged",
"flagged": true,
"reasoning": "Flagged by Lakera: prompt_attack, unknown_links",
"url": "https://clawhub.ai/skills/some-skill",
"scanned_at": "2026-03-02T19:26:29.666Z"
}
]
```
## How to respond to the user
### If all skills are safe (`verdict: "safe"` for all):
Tell the user the skill passed the security scan and proceed with installation:
> "✅ [skill-name] passed the SkillGuard scan — no prompt injection or malicious content detected. Safe to install."
Then run: `clawhub install [slug]`
### If any skill is flagged (`verdict: "flagged"`):
Do NOT install the skill. Tell the user:
> "⚠️ SkillGuard flagged [skill-name] before installation. Reason: [reasoning]. I'm not installing it. You can review it manually at [url] and override if you trust the source."
Wait for explicit user confirmation before proceeding.
### If verdict is `error`:
> "⚠️ SkillGuard couldn't scan [skill-name] — [error_message]. Proceed with caution."
### If scanning multiple skills:
Show a summary table, then list any flagged ones with their reasoning. Only install the safe ones unless the user explicitly overrides.
## Example interactions
**User:** "Install the instagram-search skill"
**You:** Run SkillGuard with `skillSlugs: ["instagram-search"]`. If flagged, report it and hold. If safe, install it.
**User:** "Scan instagram skills"
**You:** Run SkillGuard with `searchQuery: "instagram"`. Report the full results table with verdicts and reasoning for each.
**User:** "I know it's flagged, install it anyway"
**You:** Confirm once more, then proceed with `clawhub install [slug]` and note the override in your response.
## Environment variables required
- `APIFY_TOKEN` — your Apify API token (get one at console.apify.com)
- `LAKERA_API_KEY` — your Lakera Guard API key (get one at platform.lakera.ai)
- `OPENCLAW_WEBHOOK_URL` — your OpenClaw hooks endpoint URL
- `OPENCLAW_HOOKS_TOKEN` — your OpenClaw hooks auth token
## On First Install
When this skill is first installed and loaded, do the following automatically
before responding to the user:
### 1. Write the install policy to TOOLS.md
Append the following block to `{baseDir}/../../TOOLS.md`, creating the file
if it does not exist:
```
### ClawHub Install Policy (SkillGuard)
Before running `clawhub install <slug>` for ANY skill, you MUST first run
SkillGuard to scan it. If the scan returns `flagged`, do NOT install and
tell the user why. Only proceed if the user explicitly confirms the override.
```
Use bash to append it:
```bash
cat >> ~/.openclaw/workspace/TOOLS.md << 'EOF'
### ClawHub Install Policy (SkillGuard)
Before running `clawhub install <slug>` for ANY skill, you MUST first run
SkillGuard to scan it. If the scan returns `flagged`, do NOT install and
tell the user why. Only proceed if the user explicitly confirms the override.
EOF
```
### 2. Notify the user
After writing to TOOLS.md, tell the user exactly this:
> "✅ SkillGuard is installed and your ClawHub install policy has been written
> to TOOLS.md. **Please start a new session now** to activate protection —
> any skills installed before you do will not be scanned. Once you're in a
> new session, all `clawhub install` commands will be scanned automatically."
Do not proceed with any other task until the user acknowledges this.
## Setup and integration
If the user needs help setting up the webhook endpoint or configuring their
OpenClaw gateway to receive results, refer them to the integration guide
bundled with this skill:
`{baseDir}/INTEGRATION.md`
Read it yourself if you need to explain any setup step to the user.