SR
SKILLRADAR
AI Security • Benchmarking • Index
Menu
Trust Report v1

360Guard

360-degree comprehensive security review Skill. Use before installing any Skill from ClawHub, GitHub, or other sources. Performs full security scans including all Skill Vetter checks plus extended system/privacy/behavior checks and automated scanning scripts. Supports static anal

Overall
63
Trust
29
Utility
88
Momentum
95

Install caution

High-risk behavior present

Risk: High

Source: OpenClaw Master Skills

Path: skills/360guard-skillvetter-upgrade-version/SKILL.md

Review flags: browser/session access, credential or secret references, filesystem/home-directory access, network access or external URLs. These are review signals, not definitive security judgments; inspect before installing.

Required permissions

  • Environment variables / secrets
  • Shell commands
  • Network/API usage
  • Filesystem/home access
  • Browser/session access

Permissions are inferred from SKILL.md text only. They are review prompts, not guarantees about runtime behavior.

Risk flags explained

browser_or_session_accessmedium

Mentions browser automation, cookies, sessions, local storage, or browser state.

credential_or_secret_referencehigh

Mentions tokens, API keys, passwords, or private-key style environment variables.

filesystem_write_or_home_accessmedium

Mentions filesystem writes, deletes, home-directory paths, or config/key locations.

network_accessmedium

Mentions external URLs, network APIs, downloads, or HTTP client usage.

shell_commandmedium

Contains shell command snippets. Review commands before copy/paste or agent execution.

Score explanation

Trust

  • Trust starts at 90 before review-signal penalties and metadata bonuses.
  • Risk-signal penalty: -63 from 5 detected flag(s).
  • Metadata bonus: +2 from author/version/description fields.

Utility

  • Utility starts at 55 and rewards clear descriptions, runnable examples, and explicit setup needs.
  • Description present: yes.
  • Command examples detected: 8.
  • Environment variables detected: 4.

Momentum

  • Momentum starts at 45 and uses public repo activity signals.
  • Recent commit activity: latest repo update was 6 day(s) ago.
  • Recent commit volume: 6 commit(s) in the lookback window (+18).
  • Source has strong public adoption: 2049 stars.
  • Fork activity suggests reuse: 309 forks.

Overall

  • Overall score weights trust 45%, utility 35%, and momentum 20%.

Detected signals

Env vars

  • API
  • API_
  • SECRET
  • TOKEN

Commands

  • curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars, forks, updated, language}'
  • curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, updated: .updated_at}'
  • curl -s "https://api.github.com/repos/OWNER/REPO/contents/" | jq '.[].name'
  • curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/SKILL.md"
  • git clone https://github.com/OWNER/REPO
  • node ~/.npm-global/lib/node_modules/openclaw/skills/360guard/scripts/scanner.cjs ./REPO
  • node ~/.npm-global/lib/node_modules/openclaw/skills/360guard/scripts/scanner.cjs ./SKILL_NAME
  • wget -O skill.zip "https://clawhub.ai/api/download/SKILL_NAME"

URLs

  • http://\|https://\|wget\|curl\|fetch
  • https://api.github.com/repos/OWNER/REPO
  • https://api.github.com/repos/OWNER/REPO/contents/
  • https://clawhub.ai/api/download/SKILL_NAME
  • https://github.com/OWNER/REPO
  • https://raw.githubusercontent.com/OWNER/REPO/main/SKILL.md

Provenance & evidence

SkillRadar makes each review traceable back to the exact source path, source blob SHA, scanner version, and text-only policy that produced the report.

source
github.com/LeoYeAI/openclaw-master-skills@main
path
skills/360guard-skillvetter-upgrade-version/SKILL.md
source blob SHA
686d8bbb428e06c81b3ff2c35a2a51ded504c2a5
scanner version
0.3.0
security model
text_only_no_execute_no_install_no_secrets
scan policy
Fetched and scored as text only; no install, no execution, no runtime loading.

Evidence snippets

credential_or_secret_reference

…theft check: • Reads clipboard (pbpaste) • Reads environment variables (especially API_, SECRET, TOKEN) • Accesses browser history/bookmarks • Accesses macOS Keychain • Accesses iMessag…

filesystem_write_or_home_access

…nown URLs • Sends data to external servers • Requests credentials/tokens/API keys • Reads ~/.ssh, ~/.aws, ~/.config without clear reason • Accesses MEMORY.md, USER.md, SOUL.md, IDENT…

network_access

…ct immediately if you see: ──────────────────────────────────────────────────────────── • curl/wget to unknown URLs • Sends data to external servers • Requests credentials/tokens/API k…

browser_or_session_access

…ated code (compressed, encoded, minified) • Requests elevated/sudo permissions • Accesses browser cookies/sessions • Touches credential files ─────────────────────────────────────────────…

shell_command

…───────────┘ ``` ## 3. Security Checklist ### 3.1 Base Red Flags (from Skill Vetter) ``` 🚨 Reject immediately if you see: ──────────────────────────────────────────────────────────── • curl/wget to unknown URLs • Sends data to external servers • Requests cred

Watch this skill

Get alerted when this skill adds credential requirements, shell commands, external domains, remote installer patterns, or risk-level changes.

Join watchlist beta

Methodology note

SkillRadar scans SKILL.md as hostile text only. It does not execute commands, install packages, or load third-party skills.

View source SKILL.mdBack to changesView sources