Before you install that ClawHub skill or drop an AGENTS.md into your repo, run it through this vetter. It scans code and manifests for 41 patterns: hardcoded Discord/Slack webhooks, SSH key reads, dangerous eval/exec calls, prompt injection signatures, and permission drift between declared purpose and requested scope. You get a 0-100 risk score, a BLOCK/REVIEW/CAUTION/CLEAN verdict, and per-finding evidence with file and line number. Two tools: vet_skill() for third-party extensions and vet_agent_config() for .cursor/rules, CLAUDE.md, and similar instruction files. Built for the post-ClawHavoc world where 7-20% of a public registry turned out to be poisoned and agent config files are now recognized attack surfaces.
claude mcp add --transport stdio temurkhan13-openclaw-skill-vetter-mcp -- uvx openclaw-skill-vetter-mcp