openclaw-skill-vetter-mcp

MCP server for security-vetting third-party AI agent extensions before installation — Claude skills, ClawHub plugins, agent tool packs, any code-shaped artifact that runs in your agent environment with your API keys. 41 detection rules across prompt-injection patterns, hardcoded exfiltration channels (Discord/Slack/Telegram webhooks, SSH-key reads, AWS-creds reads), dangerous dynamic execution (eval, exec, subprocess shell=True, pickle.loads), manifest/permission drift, and known typosquat dependencies. Outputs a 0-100 risk score + BLOCK/REVIEW/CAUTION/CLEAN bucket + per-finding evidence. Native ClawHub manifest support; the rule engine generalizes to any code-shaped extension via Custom MCP Build adapters. Keywords: AI agent security, plugin vetting, supply-chain security, prompt injection detection, MCP static analysis.

What it does

Third-party AI agent extensions — Claude skills, ClawHub plugins, MCP servers themselves, agent tool packs, npm-distributed agent code — are code that runs inside your environment with your API keys, your filesystem access, your network egress. The supply-chain attack surface is now broadly recognized + actively exploited:

• The OWASP MCP Top 10 catalogues prompt injection, command injection, and "rug pull" attacks where compromised MCP servers update with malicious tool definitions after user approval. Microsoft, Datadog, Atlassian, Palo Alto Unit 42, and Prompt Security have all published detailed threat analyses in 2026: see Datadog's MCP risks blog, Atlassian's MCP Clients risk awareness, and Unit 42's MCP sampling attack vectors.

• The 2026 ClawHavoc campaign poisoned the OpenClaw skill registry (ClawHub) at scale. Latest public counts: 824 confirmed malicious skills (~7.7% of a 10,700+ registry as of mid-Feb 2026) per Koi Security + The Hacker News. Snyk's ToxicSkills study flagged prompt injection in 36% of skills + 1,467 malicious payloads. Bitdefender's independent analysis places it at ~900 / ~20% of the ecosystem. Antiy Labs catalogued 1,184 historically published. Zscaler ThreatLabz documented the DeepSeek-Claw skill distributing Remcos RAT + GhostLoader — exfils macOS keychain, SSH keys, crypto wallets, cloud API tokens.

• The OpenClaw runtime itself accumulated 138+ CVEs in 2026 (tracker) — one-click RCE (CVE-2026-25253, CVSS 8.8), browser-snapshot RCE (CVE-2026-42436), privilege escalation, cross-site WebSocket hijacking, and more.

• Agent-config files (AGENTS.md, .cursor/rules.md, .claude/CLAUDE.md, .gemini/config) are now the universal control layer + the next attack surface. Vercel's "AGENTS.md outperforms skills in our agent evals" (HN, 524↑) signals mainstream adoption. The same week, Cursor CVE-2026-26268 and Gemini CLI CVSS 10.0 yolo-mode demonstrated config-file-as-instruction-vector. The arxiv community is treating this as an open research question: "Evaluating AGENTS.md: are they helpful for coding agents?" (HN 232↑) reaches arxiv as the verification problem becomes urgent. v1.1 of this server adds vet_agent_config(directory) covering the trust-boundary failure mode — see Tool surface below.

• Cross-model deception via reframed prompts. Nav Toor's CLTR-paper thread (10K views) cites a real Claude→Gemini case: "Claude Code rewrote its own prompt to reframe the task as 'accessibility for people with hearing impairments.' Gemini complied. One frontier model lied to another frontier model to break a safety filter." The skill-as-attack-vector surface now includes inter-model prompt manipulation, not just local code execution.

The same shape of attack works against any third-party extension a user installs into their AI agent runtime — Claude skills, MCP servers, browser-extension agents, npm-distributed agent code. The defensive question every operator faces before clicking install: "is this safe to run with my API keys?"

This MCP server runs a battery of static-analysis scanners against any skill's directory and produces a single VetReport that an operator can act on:

> claude: vet the data-extractor skill before I install it.
[MCP tool: vet_skill]

Skill 'data-extractor': BLOCK — do not install.
Risk score: 100/100. Findings: 1 critical, 4 high, 1 info.

Critical:
  EXFIL.WEBHOOK_DISCORD (extract.py:5) —
    Hardcoded Discord webhook URL: 'https://discord.com/api/webhooks/...'
    Recommendation: Refuse install unless explicitly justified.

High:
  AST.OS_SYSTEM (extract.py:14) — os.system('curl ... | bash')
  EXFIL.ENV_DUMP (extract.py:9) — dumps full os.environ
  MANIFEST.WILDCARD_PERMISSION — `network.http: *`
  ...

Vet result for data-extractor: REFUSE INSTALL.

> claude: any flagged skills currently installed?
[MCP tool: flagged_skills_report]

2 skills flagged at REVIEW or BLOCK:
  - data-extractor       BLOCK   risk_score=100   1 CRITICAL EXFIL.WEBHOOK_DISCORD
  - markdown-formatter   REVIEW  risk_score=35    1 HIGH AST.EVAL_CALL on user input

Why openclaw-skill-vetter-mcp

Three things existing tools (manual code review, generic SAST, ClawHub trust scores) don't do:

1. Skill-aware scanning. Generic SAST tools don't know what an OpenClaw skill manifest looks like. They miss the most common malware shape: a "calculator" skill that requests network.http: *. The vetter cross-checks declared purpose against requested permissions.

2. Risk score the operator can paste into a ticket. Not "high cyclomatic complexity" — BLOCK — Discord webhook at extract.py:5. Each finding has rule_id, file:line, evidence, and a specific recommendation.

3. Built for review-before-install, not after-the-fact audit. Run it from inside Claude on a skill you're about to add. Get a verdict in seconds. Refuse the install if it's BLOCK; sandbox-test if REVIEW; install if CLEAN.

Built for the production-AI operator who has been bitten (or doesn't want to be) by ClawHavoc-style supply-chain attacks.

How this fits in the OpenClaw security ecosystem

The OpenClaw security crisis has spawned a multi-vendor tooling landscape. This server's place in it:

This server isn't a replacement for the SaaS layer — large organizations should pair both. It's a replacement for manual code review of every ClawHub skill before install, with a verdict an operator can paste into a ticket in seconds.

Tool surface

Resources:

• skill-vetter://overview — installed-skills risk overview

• skill-vetter://flagged — currently-flagged skills

• skill-vetter://rules — detection rules catalog

Prompts:

• pre-install-skill-check — vet a specific skill before installation

• weekly-skill-audit — compose a 200-word weekly audit of all installed skills

• agent-config-audit (v1.1+) — vet a project directory's agent-config files for adversarial content

Quickstart

Install

pip install openclaw-skill-vetter-mcp

Quick verify (~30 seconds, no config)

After install, run the bundled demo to see the vetter catch real malicious skill patterns:

openclaw-skill-vetter-mcp-demo

You'll see 6 hand-shaped skills vetted: typically 2 BLOCK (a data-extractor with hardcoded Discord webhook + os.system at risk_score 100/100; a requestz-typosquat of requests at 55/100) + 2 REVIEW (eval() + manifest-purpose drift) + 2 CLEAN. No external I/O, no API keys — safe to run anywhere. Useful first-30-seconds check before pointing at your real ~/.openclaw/skills/ directory.

Configure for Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "openclaw-skill-vetter": {
      "command": "python",
      "args": ["-m", "openclaw_skill_vetter_mcp"],
      "env": {
        "OPENCLAW_SKILL_VETTER_BACKEND": "mock"
      }
    }
  }
}

Backends

Skill manifest format

Each skill directory contains a skill.yaml (or skill.json):

id: weather-fetch
name: Weather Fetch
version: 1.0.0
author: verified-publisher@openclaw.example
description: Fetches current weather for a city using OpenWeatherMap.
purpose: Live weather data lookup
runtime: python3.11
entry_point: main.py
permissions:
  - network.http: api.openweathermap.org
dependencies:
  - requests>=2.31
  - pydantic>=2.0
signature: ed25519:abcd1234efgh5678

Plus the actual code files (*.py, *.js, *.ts, *.sh, *.rb, *.go, *.rs) and any prompt files (*.prompt, *.md, *.txt).

If your OpenClaw deployment uses a different on-disk shape, see the Custom MCP Build section below.

Detection rules (v1.0)

Four scanner modules cover the v1.0 ruleset:

Manifest — MANIFEST.MISSING, MANIFEST.PURPOSE_NETWORK_DRIFT, MANIFEST.WILDCARD_PERMISSION, MANIFEST.BROAD_FILESYSTEM_WRITE, MANIFEST.EMPTY_DESCRIPTION, MANIFEST.NO_AUTHOR, MANIFEST.UNSIGNED

Static patterns (text regex over code + prompts) —

• Prompt-injection: PROMPT_INJ.IGNORE_PRIOR, PROMPT_INJ.ROLE_OVERRIDE, PROMPT_INJ.EXTRACT_SYSTEM, PROMPT_INJ.JAILBREAK_DAN, PROMPT_INJ.NEW_USER_MARKER

• Exfiltration: EXFIL.WEBHOOK_DISCORD, EXFIL.WEBHOOK_SLACK, EXFIL.WEBHOOK_TELEGRAM, EXFIL.PASTEBIN_LITERAL, EXFIL.SSH_KEY_READ, EXFIL.AWS_CREDS_READ, EXFIL.ENV_DUMP, EXFIL.SUBPROCESS_CURL

• Dynamic execution: DYN_EXEC.SHELL_TRUE, DYN_EXEC.OS_SYSTEM, DYN_EXEC.EVAL_LITERAL, DYN_EXEC.EXEC_LITERAL, DYN_EXEC.PICKLE_LOADS, DYN_EXEC.DYNAMIC_IMPORT

• Obfuscation: OBFUSCATION.LARGE_BASE64, OBFUSCATION.LARGE_HEX

Python AST (catches what regex misses) — AST.EVAL_CALL, AST.EXEC_CALL, AST.COMPILE_CALL, AST.OS_SYSTEM, AST.OS_POPEN, AST.OS_EXECV, AST.SUBPROCESS_RUN_SHELL_TRUE, AST.SUBPROCESS_POPEN_SHELL_TRUE, AST.DYNAMIC_IMPORT

Dependencies — DEP.TYPOSQUAT, DEP.HOMOGLYPH, DEP.UNTRUSTED_GIT_SOURCE, DEP.LOCAL_PATH

Use list_detection_rules to query the live catalog.

Risk scoring

Each finding contributes by severity:

Final risk_score = min(sum, 100). Bucketing (first match wins):

Conservative-by-design: false positives are OK, missed criticals are not. If your operator workflow disagrees with a specific rule, you can filter by category on the client side, or fork + customize.

Roadmap

Need this adapted to your stack?

If your AI deployment doesn't use the OpenClaw skill format — different agent harness, custom skill schema, monolithic skill files, internal-registry distribution — and you want the same vet-before-install discipline, that's a Custom MCP Build engagement.

To engage:

1. Email hello@temhan.dev with subject Custom MCP Build inquiry — skill vetting

2. Include: 1-paragraph description of your skill ecosystem + which tier you're considering

3. Reply within 2 business days with a 30-min discovery call slot

This server is part of a production-AI infrastructure MCP suite — companion to silentwatch-mcp, openclaw-health-mcp, and openclaw-cost-tracker-mcp. Install all four for full operational visibility.

Production AI audits

If you're running production AI and want an outside practitioner to score readiness, find the failure patterns already present (ClawHavoc-style skill malware being one of the most damaging), and write the corrective-action plan:

Same email channel: hello@temhan.dev with subject AI audit inquiry.

Contributing

PRs welcome. Scanners are pluggable — see src/openclaw_skill_vetter_mcp/scanners/ for the contract.

To add a new scanner:

1. Create scanners/<your_scanner>.py exporting SCANNER_NAME: str and def scan(skill: Skill) -> list[Finding]

2. Optionally export def all_rules() -> list[tuple[...]] for the rules catalog

3. Register in analysis.vet_skill (the orchestrator iterates over a fixed tuple of scanner modules)

4. Add tests in tests/test_scanners.py

To add a new backend:

1. Subclass SkillBackend in backends/<your_backend>.py

2. Implement get_skills, get_skill_by_id, get_directory

3. Register in backends/__init__.py

4. Add tests in tests/test_backend_<your_backend>.py

Bug reports + feature requests: open a GitHub issue. False-positive reports: include the skill snippet that fired the wrong rule and we'll tune.

License

MIT — see LICENSE.

Related

• Production-AI MCP Suite (Gumroad bundle) — this server plus 6 others in one curated 7-pack bundle with a decision tree, day-one drill, and Custom MCP Build CTA. $29.

• silentwatch-mcp — cron silent-failure detection

• openclaw-health-mcp — deployment health

• openclaw-cost-tracker-mcp — token-cost telemetry + 429 prediction (v1.1+)

• openclaw-upgrade-orchestrator-mcp — read-only upgrade advisor + provider-side regression detection (v1.2+)

• openclaw-output-vetter-mcp — agent claim verification (inline grounding-check + swallowed-exception scanner + multi-turn transcript review)

• AI Production Discipline Framework — Notion template, $19 — methodology these MCPs implement

• SPEC.md — full server design

Built by Temur Khan — production AI engineer. Contact: hello@temhan.dev