GuardSkills

GuardSkills is a security tool designed to add an extra layer of protection when installing software components called 'skills'. It works by scanning these skills for potentially harmful patterns before they are added to your system. This helps to reduce the risk of installing malicious code.

Benefits

GuardSkills acts as a security wrapper, scanning files for malicious patterns before installation. It provides a risk assessment, categorizing skills as SAFE, WARNING, UNSAFE, CRITICAL, or UNVERIFIABLE. This helps users make informed decisions about what to install. It is designed to be used alongside existing security practices, not as a replacement for them.

Use Cases

GuardSkills can be used to scan skills from various sources. For skills hosted on GitHub, you can use commands likeguardskills add owner/repo --skill <skill-name> --dry-runto scan without installing. For skills on your local machine, you can useguardskills scan-local <path-to-skill-folder>. It also supports scanning skills from ClawHub usingguardskills scan-clawhub. The tool can be configured using aguardskills.config.jsonfile for custom settings and policies.

Vibes

The current version, v1.0.0, is considered stable and suitable for production use when combined with standard security review practices. While a SAFE classification means no known high-risk patterns were detected, it does not guarantee complete safety.

Additional Information

GuardSkills includes features like support for GitHub resolvers, a static scanner with a rule matrix, and a score-based decision engine. It offers controls for gate policies, dry runs, and CI modes. The tool also has resolver safety controls such as timeouts and file size limits. It provides structured error handling and retry mechanisms. The project has undergone comprehensive testing and includes release hardening measures like CI/CD workflows and npm provenance publishing.