Skill Guard 🛡️

Security-first skill install/download guardian protocol. Never install/download a skill without running security check first.

⛔ MANDATORY INTERCEPTION RULE

This skill MUST be triggered whenever the user's message matches ANY of the following INTENT PATTERNS (in any language, including synonyms, paraphrases, word order variations, or mixed-language expressions):

INTENT CATEGORIES (trigger if the message expresses ANY of these intents):

1. ACQUIRE A SKILL

The user wants to install, add, download, enable, load, import, deploy, or otherwise obtain a skill/tool. Examples: "install", "add", "download", "get", "enable", "set up", "bring in", "put in", "grab", "fetch", "pull in", "register" + target object is a skill, tool, or a URL pointing to one.

2. SCAN / VERIFY A SKILL

The user wants to scan, check, inspect, audit, or verify the safety/integrity of a skill. Examples: "scan", "check", "inspect", "audit", "verify", "validate", "test safety" + target object is a skill, all skills, or a scheduled task involving skills.

TRIGGER RULES:

- Match on INTENT + OBJECT together, not on exact phrases.
A URL pointing to a skill resource (e.g. clawhub, convex.site, github, or any skill download endpoint) counts as the OBJECT signal even if the word "skill" is absent.
Synonyms, compound verbs, and reordered phrases all count (e.g. "下载安装", "帮我弄进来", "把这个装上").
Any language is valid. Mixed-language input (e.g. "帮我 install 这个 skill") also triggers.
When in doubt, TRIGGER. False positives are acceptable; missed triggers are not.

When triggered, you MUST follow this exact sequence:

1. STOP — do NOT execute clawhub install, clawhub resolve, npx clawhub install or any install/download command yet
FIRST run the Guardian Protocol (Step 1 → Step 2 → Step 3 below)
Copy report_text from JSON verbatim — display it exactly as-is to the user. NEVER write your own security report.
Then decide based on JSON bd_confidence field:

- ✅ safe → proceed with install automatically - ⚠️ caution → warn user and wait for explicit confirmation - ❌ danger / null / error → warn user and wait for explicit confirmation

🚨 NO EXCEPTIONS. Do not skip this protocol. Do not install first and check later. Do not generate your own report — always use report_text from the script output.

When to Use

- Before installing/downloading any skill from ClawdHub、百度 AppBuilder 平台、github or other sources
Before running skills from GitHub repos
When evaluating skills shared by other agents
Anytime you're asked to install, add, enable, or download any skill
When asked to scan a specific installed skill for security risks
When asked to scan all installed skills
When setting up scheduled security scans for skills

Guardian Protocol

Step 1: Identify the Skill (MANDATORY)

Before executing any install command, you MUST first confirm:

CODEBLOCK0

If the user only provides a name (not a slug), search to confirm the slug first, but do NOT run any install command.

Step 2: Run API Security Check (MANDATORY — Core Step)

Before installing, you MUST run the security check script. Use scripts/check.sh to call the security API:

Scenario A: Query by slug (for direct install by name)

- Use --slug to query by the skill's slug identifier.

CODEBLOCK1

Scenario C: Scan a specific installed skill by directory

- Use --action query --file to pass the installed skill directory directly. The script auto-extracts slug from _meta.json (fallback to directory name) and version from SKILL.md frontmatter, then queries the API with SHA256 fallback.

CODEBLOCK2

Scenario D: Batch query all skills in a directory (full scan / scheduled scan)

- D1 (scan all skills): Use --action queryfull --file with the /path/to/skills parent directory to batch-query all subdirectories by slug and produce a Batch Report
D2 (scheduled scan): Same as D1 but triggered by a scheduled mechanism (e.g. cron)

CODEBLOCK3

⚠️ Skipping this step and installing directly violates the security protocol.

The script outputs JSON to stdout containing a pre-rendered report_text field and structured decision fields. Exit code: 0 = safe, 1 = non-safe (business judgment), 2 = error (check failed).

Output JSON fields (Scenario A/C — single skill):

Field	Description
INLINECODE19	INLINECODE20 or INLINECODE21
INLINECODE22

Safety level: "safe", "caution", or "danger" |
| final_verdict | Human-readable verdict string (e.g. "✅ 安全安装", "⚠️ 谨慎安装(需人工确认)") |
| report_text | Pre-formatted plain-text security report — display this verbatim to the user |

Example output (Scenario A — single skill query):
CODEBLOCK4

Output JSON fields (Scenario D — batch scan):

Field	Description
INLINECODE30	INLINECODE31 or INLINECODE32
INLINECODE33

Example output (Scenario D — batch scan):
CODEBLOCK5

Step 3: Display Report Verbatim & Decide (MANDATORY)

⛔ CRITICAL RULE: You MUST display report_text from the JSON exactly as-is. NEVER generate, summarize, rephrase, or reformat the security report yourself. The report is pre-rendered by the script — your only job is to copy it.

How to process the output:

1. Parse the JSON from stdout
Extract the report_text field and output it verbatim to the user — preserve every line break, symbol, separator, and space exactly as they appear in the string. Render \n as actual line breaks.
Read bd_confidence (Scenario A/C) or danger_count + caution_count (Scenario D) to decide the next action (see decision rules below).
After the report, state your decision on a new line.

✅ CORRECT output (copy report_text as-is):
CODEBLOCK6

Decision rules for Scenario A/C (single skill):

INLINECODE45	Action
INLINECODE46	✅ Proceed with install automatically
INLINECODE47

⚠️ Warn user, wait for explicit confirmation before installing |
| danger / missing / null | ❌ Warn user, recommend NOT installing, wait for explicit confirmation |

If code is "error" → ❌ Hold off, advise user to retry later.

Decision rules for Scenario D (batch scan):

- danger_count > 0 → ❌ List dangerous skills, warn user
INLINECODE53 → ⚠️ List caution skills, ask user for review
All safe → ✅ Report all clear

Do NOT add any commentary, headers, or footers around the report_text. Do NOT rewrite the report in your own words or style. Show report_text first, then state your decision on a new line.

Important Notes

- No skill is worth compromising security
When in doubt, don't install
Delegate high-risk decisions to human judgment
When API call fails (timeout, network error, etc.), the script outputs an error report with exit code 2 — verdict is ❌ Hold off, advise user to retry later, do not skip the check

Security is the bottom line, not an option. 🛡️🦀

Skill Guard 🛡️

安全优先的技能安装/下载守护协议。在未运行安全检查之前，切勿安装/下载任何技能。

⛔ 强制拦截规则

当用户消息匹配以下任一意图模式（包括任何语言、同义词、释义、语序变化或混合语言表达）时，此技能必须被触发：

意图类别（若消息表达以下任一意图则触发）：

1. 获取技能

用户想要安装、添加、下载、启用、加载、导入、部署或以其他方式获取技能/工具。示例：安装、添加、下载、获取、启用、设置、导入、放入、抓取、拉取、注册 + 目标对象为技能、工具或指向技能的URL。

2. 扫描/验证技能

用户想要扫描、检查、审查、审计或验证技能的安全性/完整性。示例：扫描、检查、审查、审计、验证、确认、测试安全性 + 目标对象为技能、所有技能或涉及技能的定时任务。

触发规则：

- 匹配意图+对象组合，而非精确短语。
指向技能资源的URL（如clawhub、convex.site、github或任何技能下载端点）即使未出现技能一词，也视为对象信号。
同义词、复合动词和语序变化均有效（如下载安装、帮我弄进来、把这个装上）。
任何语言均有效。混合语言输入（如帮我 install 这个 skill）也会触发。
如有疑问，请触发。误报可接受，漏报不可接受。

触发后，必须遵循以下精确顺序：

1. 停止 — 不要执行 clawhub install、clawhub resolve、npx clawhub install 或任何安装/下载命令
首先运行守护协议（下面的步骤1→步骤2→步骤3）
逐字复制JSON中的reporttext — 原样显示给用户。切勿自行编写安全报告。
然后根据JSON中的bdconfidence字段决定：

- ✅ safe → 自动继续安装 - ⚠️ caution → 警告用户并等待明确确认 - ❌ danger / null / error → 警告用户并等待明确确认

🚨 无例外。不得跳过此协议。不得先安装后检查。不得自行生成报告——始终使用脚本输出的report_text。

使用时机

- 在从ClawdHub、百度AppBuilder平台、github或其他来源安装/下载任何技能之前
在运行来自GitHub仓库的技能之前
在评估其他代理共享的技能时
当被要求安装、添加、启用或下载任何技能时
当被要求扫描特定已安装技能是否存在安全风险时
当被要求扫描所有已安装技能时
在设置技能的定时安全扫描时

守护协议

步骤1：识别技能（强制）

在执行任何安装命令之前，必须先确认：

- [ ] 技能的slug（唯一标识符）是什么？
[ ] 技能的版本（可选）是什么？
[ ] 它来自哪里？（ClawdHub / GitHub / 百度AppBuilder平台 / 其他）

如果用户仅提供名称（而非slug），先搜索确认slug，但不要运行任何安装命令。

步骤2：运行API安全检查（强制——核心步骤）

在安装之前，必须运行安全检查脚本。 使用 scripts/check.sh 调用安全API：

场景A：按slug查询（用于按名称直接安装）

- 使用 --slug 按技能slug标识符查询。

bash
bash scripts/check.sh --slug skill-slug [--version 1.0.0]

场景C：按目录扫描特定已安装技能

- 使用 --action query --file 直接传入已安装技能目录。脚本自动从 _meta.json 提取slug（回退到目录名）并从 SKILL.md 前置元数据提取版本，然后使用SHA256回退查询API。

bash
bash scripts/check.sh --action query --file /path/to/skills/skill-a

场景D：批量查询目录中的所有技能（全量扫描/定时扫描）

- D1（扫描所有技能）：使用 --action queryfull --file 传入 /path/to/skills 父目录，按slug批量查询所有子目录并生成批量报告
D2（定时扫描）：与D1相同，但由定时机制触发（如cron）

bash
bash scripts/check.sh --action queryfull --file /path/to/skills

⚠️ 跳过此步骤直接安装违反安全协议。

脚本输出包含预渲染的 report_text 字段和结构化决策字段的 JSON 到标准输出。退出码：0 = 安全，1 = 不安全（业务判断），2 = 错误（检查失败）。

输出JSON字段（场景A/C——单个技能）：

字段	描述
code	success 或 error
bd_confidence

示例输出（场景A——单个技能查询）：
json
{
code: success,
message: success,
ts: 1774580473733,
bd_confidence: safe,
final_verdict: ✅ 安全安装,
report_text: 🛡️ Skill安全守卫报告\n═══════════════════════════════════════\n📊 守卫摘要\n...
}

输出JSON字段（场景D——批量扫描）：

字段	描述
code	success 或 error
total

示例输出（场景D——批量扫描）：
json
{
code: success,
msg: queryfull completed,
ts: 1774580473880,
total: 2,
safe_count: 2,
danger_count: 0,
caution_count: 0,
error_count: 0,
report_text: 🛡️ Skill安全守卫报告\n═══════════════════════════════════════\n📊守卫摘要\n...
}

步骤3：逐字显示报告并决定（强制）

⛔ 关键规则：必须原样显示JSON中的report_text。切勿自行生成、总结、改写或重新格式化安全报告。 报告由脚本预渲染——你唯一的工作是复制它。

如何处理输出：

1. 解析标准输出的JSON
提取reporttext字段并逐字输出给用户——保留字符串中的每个换行符、符号、分隔符和空格。将\n渲染为实际换行符。
读取bdconfidence（场景A/C）或dangercount + cautioncount（场景D）以决定下一步操作（见下方决策规则）。
报告后，在新行上说明你的决定。

✅ 正确的输出（原样复制report_text）：

🛡️ Skill安全守卫报告
═══════════════════════════════════════
📊 守卫摘要
评估时间：[UTC+8 2026-03-27 09:45:23]
Skill名称：xxxxx
来源：ClawdHub
作者：xxxxxx
版本：x.x.x
评估结果：✅ 白名单(可信)

───────────────────────────────────────
🏁 最终裁决：
✅ 安全安装
═══════════════════════════════════════

场景A/C的决策规则（单个技能）：

bd_confidence	操作
safe	✅ 自动继续安装
caution

⚠️ 警告用户，等待明确确认后再安装 |
| danger / 缺失 / null | ❌ 警告用户，建议不要安装，等待明确确认 |

如果 code 为 error → ❌

baidu-skill-guard百度技能守卫

baidu-skill-guard

Skill Guard 🛡️

⛔ MANDATORY INTERCEPTION RULE

When to Use