SkillGuard Hardened

intent

skillguard is a native security defense line for the openclaw skill ecosystem. use it to detect suspicious behavior before installing, updating, or executing skills, and during routine inspections. it scans skill directories against local static rules (high-risk behaviors, sensitive access, persistence, obfuscation, prompt injection) and runs semantic-level intent auditing via zenmux claude to catch deviations between declared capabilities and actual behavior. outputs structured json reports for consumption by other agents or automated flows. supports isolation (quarantine), restoration, and forced deletion (with explicit confirmation only). pick this when you need to gate skill installations, updates, executions, or run bulk security audits across your skill ecosystem.

inputs

external connections:

• zenmux api (claude-based semantic auditing). configure via ZENMUX_API_KEY environment variable (required for ai intent auditing; optional if fallback to local rules acceptable). optional model override via ZENMUX_MODEL env var.
• trusted remote domains for policy and manifest updates: moltbook.com, fluxapay.xyz.

parameters and context:

• skill root directories: scans skills/ and .skills/ by default, or custom paths via --root /path/to/skills.
• skill paths: incoming skill archives or directories for pre-install/update/exec checks.
• remediation flags: --auto-remediate quarantine or --auto-remediate delete (delete requires --force --yes).
• output format: json (default) or plaintext via --format json / --format text.
• local static rule set: embedded in scan_skills.py (no external config required, but policies can be updated from remote).

edge cases and constraints:

• if zenmux api key missing or api unreachable, falls back to local static rules only (ai auditing disabled).
• if skill directories are empty, scan returns zero-risk report.
• api rate limits (zenmux) may trigger backoff or queue; queries may timeout after 30 seconds.
• file system permissions: quarantine and delete actions require write access to skill roots and /root/clawd/output/skillguard/quarantine/.
• network timeouts for remote policy/manifest updates default to 10 seconds; offline mode falls back to cached policies.

procedure

1. [scan full ecosystem] run python3 {baseDir}/scripts/scan_skills.py scan (or with custom roots --root /path/to/skills --root /path/to/.skills). input: skill directories. output: json report with pass/warn/block/quarantine recommendations for each skill.

2. [gate before install] run python3 {baseDir}/scripts/scan_skills.py check-install /path/to/incoming-skill on the incoming skill tarball or directory. input: skill path. output: exit code (0 = safe, 1 = blocked) and json report; if block recommendation, installation is prevented.

3. [gate before update] run python3 {baseDir}/scripts/scan_skills.py check-update /path/to/updated-skill on the updated skill. input: updated skill path. output: exit code and json report; block prevents update.

4. [gate before execution] run python3 {baseDir}/scripts/scan_skills.py check-exec /path/to/skill for lightweight pre-exec scan, or use python3 {baseDir}/scripts/guarded_flow.py exec --skill-root /path/to/skill -- bash /path/to/skill/scripts/run.sh for wrapped execution with monitoring. input: skill path and exec command. output: exit code (0 = allowed, 1 = blocked); if allowed, skill runs under guarded subprocess wrapper.

5. [guarded install/update workflows] use python3 {baseDir}/scripts/guarded_flow.py npx-add owner/repo@skill -g -y, npx-update, moltbook-install, or moltbook-update to integrate skillguard gates into real installation pipelines. input: package specifier or moltbook manifest. output: exit code and audit log; on block, installation is rolled back.

6. [quarantine] run python3 {baseDir}/scripts/manage_skill.py quarantine <skill-name> --reason "description" to isolate a skill (moves it to /root/clawd/output/skillguard/quarantine/). input: skill name and reason. output: quarantine directory path and audit log entry.

7. [restore] run python3 {baseDir}/scripts/manage_skill.py restore <skill-name> to move a quarantined skill back to its original location. input: skill name. output: restored path and audit log entry.

8. [list quarantine] run python3 {baseDir}/scripts/manage_skill.py list to view all quarantined skills. input: none. output: table of quarantined skills, dates, and reasons.

9. [delete with confirmation] run python3 {baseDir}/scripts/manage_skill.py delete <skill-name> --force --yes to permanently delete a skill (only in whitelisted roots or quarantine). input: skill name plus explicit flags. output: deletion confirmation and audit log entry.

10. [clean or disinfect] run python3 {baseDir}/scripts/manage_skill.py clean <skill-name> to scan then auto-quarantine, or disinfect <skill-name> --action delete --force --yes to scan then auto-delete high-risk skills. input: skill name and optional action flags. output: scan report, remediation action taken, and audit log.

11. [bulk auto-remediate] run python3 {baseDir}/scripts/scan_skills.py scan --auto-remediate quarantine to scan all skills and auto-quarantine those matching block/quarantine recommendations, or use --auto-remediate delete --force --yes for bulk deletion (acts only on block/quarantine by default). input: remediation action flag. output: bulk remediation report and audit log.

12. [format output] use --format json to output structured json reports (default) or --format text for human-readable plaintext. input: format flag. output: report written to /root/clawd/output/skillguard/reports/.

decision points

• if zenmux api key is present and reachable: run full semantic intent auditing via claude, merge results with local rules. else: fallback to local static rules only, disable ai auditing, note in report.

• if skill is flagged block or quarantine (default policies): check if --auto-remediate flag is set. if yes, apply quarantine or delete action (delete requires --force --yes). else: output recommendation only, no auto action.

• if delete or disinfect command is invoked: require --force --yes flags. if missing, abort with error and audit log entry. if present, proceed with permanent deletion only if skill is in whitelisted roots or quarantine directory.

• if check-install, check-update, or check-exec returns block recommendation: prevent installation, update, or execution (exit code 1). if warn or pass: allow with optional human review (exit code 0).

• if skill directory is empty or does not exist: return zero-risk report (no block), note in audit log.

• if remote policy update fails (network timeout, dns failure): use last cached policies, log warning to audit log, continue scan.

• if quarantine directory lacks write permissions: fail remediation action with error, audit log entry.

output contract

json reports (default): written to /root/clawd/output/skillguard/reports/<timestamp>-<skill-name>.json. schema includes per-skill fields: name, path, scan-timestamp, local-rules-findings (array of violations with severity), ai-intent-findings (array of deviations if zenmux enabled), overall-recommendation (pass/warn/block/quarantine), remediation-applied (if auto-remediate flag used).

quarantine state: stored in /root/clawd/output/skillguard/quarantine/<skill-name>/ with manifest and reason file.

audit log: /root/clawd/output/skillguard/audit.log records all scans, gates, quarantine/restore/delete actions with timestamp, user/agent, action, skill name, and result.

exit codes: 0 (no block match, or successful action), 1 (block match, failed action, or missing required flags).

outcome signal

user knows the skill worked when: (1) scan or gate command returns exit code 0 (safe) or 1 (blocked) as expected, (2) json report in /root/clawd/output/skillguard/reports/ contains complete findings with no parse errors, (3) quarantine/restore/delete command updates quarantine directory and audit log, (4) guarded installation/update/execution integrates gate checks and prevents unsafe skills, (5) bulk auto-remediate processes all flagged skills without errors, (6) audit log entries appear immediately after each action with correct timestamps and details.

security transparency and disclosures

skillguard is a high-privilege security tool. to protect your system, it uses certain capabilities that might be flagged by general scanners: file remediation via shutil.rmtree (only on explicit --force --yes confirmation), guarded execution via subprocess.run within monitored wrapper, remote policy updates from trusted domains only (moltbook.com, fluxapay.xyz), and clean distribution (malicious test fixtures removed as of v1.0.2, generated dynamically at local test time only).

credits: developed and maintained by rose北港 (小红帽 / 猫猫帽帽).