When you discover a malicious skill in your OpenClaw workspace, this walks you through the full incident response playbook: immediate containment, evidence preservation, investigation checkpoints, credential rotation priorities, and recovery verification. It's structured around severity levels (SEV-1 through SEV-4) and gives you explicit checklists for things like checking persistence mechanisms in bashrc or authorized_keys, rotating API keys in order of urgency, and documenting what happened. The opinionated stance is good here: containment first, assume the worst, never trust the malicious skill's own logs. It's basically a printed laminated card for the exact moment when you're panicking about what a sketchy skill might have accessed.
npx skills add https://github.com/useai-pro/openclaw-skills-security --skill incident-responder