Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope,...
Real data. Real impact.
Growing
Developers
Per week
Open source
Skills give you superpowers. Install in 30 seconds.
Security-first vetting protocol for AI agent skills. Never install a skill without vetting it first.
Questions to answer: - [ ] Where did this skill come from? - [ ] Is the author known/reputable? - [ ] How many downloads/stars does it have? - [ ] When was it last updated? - [ ] Are there reviews from other agents?
Read ALL files in the skill. Check for these RED FLAGS:
๐จ REJECT IMMEDIATELY IF YOU SEE: โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โข curl/wget to unknown URLs โข Sends data to external servers โข Requests credentials/tokens/API keys โข Reads ~/.ssh, ~/.aws, ~/.config without clear reason โข Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md โข Uses base64 decode on anything โข Uses eval() or exec() with external input โข Modifies system files outside workspace โข Installs packages without listing them โข Network calls to IPs instead of domains โข Obfuscated code (compressed, encoded, minified) โข Requests elevated/sudo permissions โข Accesses browser cookies/sessions โข Touches credential files โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Evaluate: - [ ] What files does it need to read? - [ ] What files does it need to write? - [ ] What commands does it run? - [ ] Does it need network access? To where? - [ ] Is the scope minimal for its stated purpose?
| Risk Level | Examples | Action |
|---|---|---|
| ๐ข LOW | Notes, weather, formatting | Basic review, install OK |
| ๐ก MEDIUM | File ops, browser, APIs | Full code review required |
| ๐ด HIGH | Credentials, trading, system | Human approval required |
| โ EXTREME | Security configs, root access | Do NOT install |
After vetting, produce this report:
SKILL VETTING REPORT โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ Skill: [name] Source: [ClawdHub / GitHub / other] Author: [username] Version: [version] โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ METRICS: โข Downloads/Stars: [count] โข Last Updated: [date] โข Files Reviewed: [count] โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ RED FLAGS: [None / List them]PERMISSIONS NEEDED: โข Files: [list or "None"] โข Network: [list or "None"]
โข Commands: [list or "None"] โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ RISK LEVEL: [๐ข LOW / ๐ก MEDIUM / ๐ด HIGH / โ EXTREME]VERDICT: [โ SAFE TO INSTALL / โ ๏ธ INSTALL WITH CAUTION / โ DO NOT INSTALL]
NOTES: [Any observations] โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
For GitHub-hosted skills:
# Check repo stats curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'List skill files
curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'
Fetch and review SKILL.md
curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
Paranoia is a feature. ๐๐ฆ
No automatic installation available. Please visit the source repository for installation instructions.
View Installation Instructions
1,500+ AI skills, agents & workflows. Install in 30 seconds. Part of the Torly.ai family.
ยฉ 2026 Torly.ai. All rights reserved.