skillgate-gov
v0.1.2Supply-chain governance for OpenClaw skills: scan, assess, quarantine/restore.
Sourced from ClawHub,
Authored by liyecom
Installation
Please help me install the skill `skillgate-gov` from SkillHub official store.
npx skills add liyecom/skillgate-gov
SkillGate (Governance)
This skill teaches OpenClaw how to run SkillGate against a skills directory, generate evidence, and quarantine risky skills.
Quick Start (recommended)
We intentionally avoid global installs (
npm i -g) to reduce supply-chain risk. Use a pinned version vianpxfor deterministic behavior.
# Scan current workspace (read-only by default)
npx --yes @skillgate/[email protected] gov_scan .
# Show a human-readable explanation for a finding
npx --yes @skillgate/[email protected] gov_explain <EVIDENCE_JSON_PATH>
Provenance / How to verify what you run
# Verify package metadata
npm view @skillgate/[email protected] name version license repository
npm view @skillgate/[email protected] dist.tarball dist.integrity
# Optional: verify GitHub release & source
# Repo: https://github.com/skillgatesecurity/openclaw-skillgate
This package is published under the official @skillgate scope and built/released via GitHub Actions.
Permissions & Filesystem scope
- Network: not required for scanning local files (except fetching the npm package on first run).
- Default mode: read-only scan of the given directory.
- Writes (only when you explicitly run quarantine/restore commands):
- creates/updates evidence outputs under a local folder (e.g.
.skillgate/or the specified output path) - may quarantine a skill by moving/marking files within the target directory you pass in
It does not require secrets (no tokens/keys) and does not modify system-wide settings.
OpenClaw Plugin Commands
Once loaded as an OpenClaw plugin, these slash commands become available:
# scan all skills for risks (default: HIGH+)
/gov scan
# scan with all findings including LOW/INFO
/gov scan --all
# quarantine a specific skill
/gov quarantine <skillKey>
# restore a quarantined skill
/gov restore <skillKey>
# explain why a skill was flagged
/gov explain <skillKey>
# show governance status
/gov status
Risk Levels
| Level | Auto Action | Description |
|---|---|---|
| CRITICAL | Quarantine | Shell injection, supply-chain attacks |
| HIGH | Disable | Dangerous patterns, external downloads |
| MEDIUM | Warn | Risky but not immediately dangerous |
| LOW/INFO | Log | Informational only |
Local Development (optional)
If you prefer a local dependency instead of npx:
npm i -D @skillgate/[email protected]
npx gov_scan .
Notes
Use this as the standard operating procedure for Skill supply-chain reviews.