How do I install skill-vetter?

Run `npx skills add https://github.com/app-incubator-xyz/skill-vetter --skill skill-vetter` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does skill-vetter support?

skill-vetter works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is skill-vetter free to use?

Yes. skill-vetter is free to install and use. It is available from the open explainx.ai skill registry published by app-incubator-xyz.

Where can I read ratings and reviews for skill-vetter?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Productivity

skill-vetter▌

app-incubator-xyz/skill-vetter · updated Apr 8, 2026

$npx skills add https://github.com/app-incubator-xyz/skill-vetter --skill skill-vetter

summary

Security gate that scans skills for malicious code, vulnerabilities, and suspicious patterns before installation.

›Runs four integrated scanners: aguara (prompt injection detection), skill-analyzer (malicious patterns and CVE database), secrets-scan (hardcoded credentials), and structure-check (malformed files and dangerous configurations)
›Accepts ClawHub skill names, GitHub URLs, or local paths as input and returns a three-tier verdict: BLOCKED (critical/high findings), REVIEW (medium f

skill.md

Skill Vetter

Security gate that runs multiple scanners against a skill before installation.

When to Use

Use before installing ANY skill to Claude Code, OpenClaw, or your other favorite AI agent — whether from ClawHub, GitHub, or any external source.

Ask the user: "Should I run skill-vetter on this before installing?" whenever they mention installing a new skill.

How to Run

Check dependencies first

bash {baseDir}/scripts/check-deps.sh

Fix any missing dependencies before proceeding.

Run the full scan

bash {baseDir}/scripts/vett.sh "<skill-name-or-path>"

The argument can be:

A ClawHub skill name: youtube-summarize
A GitHub URL: https://github.com/user/repo
A local path: /tmp/my-skill/

Interpret Results

Verdict	Meaning	Action
BLOCKED	CRITICAL or HIGH findings	Do NOT install. Show findings.
REVIEW	Medium severity findings	Show findings, ask user to decide.
SAFE	All scanners passed	Proceed with installation.

After Verdict

Always show the user:

Which scanners ran
Which passed/failed
Specific findings for anything flagged
Your recommendation

Never install the skill automatically. Always confirm with the user after showing results.

Scanners Used

Scanner	What It Checks
aguara	Prompt injection, obfuscation, suspicious LLM calls
skill-analyzer	Known malicious patterns, CVE database
secrets-scan	Hardcoded API keys, tokens, credentials
structure-check	Missing SKILL.md, malformed YAML, dangerous files

Example Output

════════════════════════════════════════════════════════════
SKILL VETTER — Security Scan: malicious-skill
Path: /tmp/skill-vetter-abc123/malicious-skill
════════════════════════════════════════════════════════════

[1/4] aguara............. ✅ PASS
[2/4] skill-analyzer..... ❌ FAIL (HIGH: prompt injection pattern)
[3/4] secrets-scan....... ⚠️  WARN (Medium: base64 encoded string)
[4/4] structure-check.... ✅ PASS

════════════════════════════════════════════════════════════
VERDICT: BLOCKED
Reasons: 1 HIGH, 1 MEDIUM
════════════════════════════════════════════════════════════

Do NOT install this skill. It contains:
- HIGH: Prompt injection in SKILL.md (line 47)
- MEDIUM: Base64 encoded string in scripts/run.sh (line 12)

Dependencies

aguara — Go-based prompt scanner
skill-analyzer — Cisco AI skill scanner (Python)
python3 — For additional checks
curl, jq — For API calls and JSON parsing

Run check-deps.sh to verify all tools are installed.

general reviews

Ratings

4.6★★★★★48 reviews

★★★★★Ren Bhatia· Dec 28, 2024
Keeps context tight: skill-vetter is the kind of skill you can hand to a new teammate without a long onboarding doc.
★★★★★Sakshi Patil· Dec 12, 2024
skill-vetter is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Hiroshi Ghosh· Dec 4, 2024
skill-vetter has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Yuki Harris· Nov 23, 2024
Solid pick for teams standardizing on skills: skill-vetter is focused, and the summary matches what you get after install.
★★★★★Lucas Diallo· Nov 19, 2024
We added skill-vetter from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Yuki Singh· Oct 14, 2024
We added skill-vetter from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Diego Tandon· Oct 10, 2024
Solid pick for teams standardizing on skills: skill-vetter is focused, and the summary matches what you get after install.
★★★★★Noor Gupta· Sep 25, 2024
skill-vetter is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Noor Menon· Sep 21, 2024
I recommend skill-vetter for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Yuki Diallo· Sep 21, 2024
skill-vetter fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

showing 1-10 of 48

1 / 5