Marketplace Safe Install Scanner v1.0
Released: 2026-05-11
Price: $4.99
Category: security
QA Status: APPROVED_FOR_RELEASE / SECURITY_CLEARED
What it does
Marketplace Safe Install Scanner is a pre-install safety check for OpenClaw and ClawHub skills. It statically reviews a local skill folder before installation, scores the package, and returns a pass, review, or block verdict based on risky patterns such as dynamic code execution, shell subprocesses, destructive commands, credential reads, network capability, and missing skill metadata.
It is designed for cautious buyers and marketplace operators who want evidence before trusting third-party skill code, without importing, executing, installing, or publishing the target package.
Use cases
- OpenClaw users installing third-party skills who want a fast safety verdict before adding unknown code to their environment.
- Marketplace reviewers and skill vendors who need machine-readable evidence for risky patterns, skipped files, sensitive-file names, and package completeness.
- Consultants and teams managing shared agent environments who need a repeatable quarantine/review gate before untrusted skills reach production agents.
Requirements
- OpenClaw skill runtime with local file access.
- Python 3.10+ recommended.
- No third-party Python packages required; uses the Python standard library only.
- No API keys required.
- Input must be a local skill or repository directory.
- Hidden directories are skipped by default unless
--allow-hiddenis supplied; sensitive filenames such as.env,openclaw.json,MEMORY.md,USER.md,SOUL.md,credentials.json, andid_rsaare reported by name and not read. - OpenClaw version: compatible with current OpenClaw skill layout and CLI execution model.
Example usage
python3 scripts/safe_install_scanner.py ./downloaded-skill --json
Expected output
{
"tool": "marketplace-safe-install-scanner",
"target": "downloaded-skill",
"files_scanned": 2,
"score": 100,
"verdict": "pass",
"findings": [],
"sensitive_files_seen": [".env"],
"skipped_files": [
{"file": "assets/demo.bin", "reason": "binary_or_unsupported"}
],
"recommendations": [
"No blocking patterns found; still inspect SKILL.md for usefulness and fit."
]
}
Marketing copy
Marketplace Safe Install Scanner gives OpenClaw users a practical quarantine gate for third-party skills: point it at a local skill folder and get a static safety score, pass/review/block verdict, risky-pattern findings, skipped-file evidence, and name-only sensitive-file reporting before install. It never executes target code, calls the network, or reads secrets, making it ideal for cautious buyers, marketplace QA, and teams standardising safe skill intake.
QA and release context
Viper approved the 2026-05-11 post-Iceman rerun after confirming clean packages pass, risky fixtures block, hidden/sensitive fixtures report .env by name only, large and binary files are safely skipped, missing targets return clean JSON errors, and generated pycache artifacts are absent. Security Audit: CLEARED by Warlock.