p
Pincer
Verified@panzacoder
npx machina-cli add skill @panzacoder/pincer --openclawFiles (1)
SKILL.md
7.0 KB
pincer ๐ก๏ธ
Security-first wrapper for clawhub install. Scans skills for malware, prompt injection, and suspicious patterns before installation.
Why?
Agent skills are powerful โ they're basically executable documentation. The ClawHub ecosystem has already seen malware campaigns distributing infostealers via innocent-looking skills. pincer adds a security layer before you install anything.
Install
# From ClawHub
clawhub install pincer
# Or manually
chmod +x ./scripts/pincer.sh
ln -sf "$(pwd)/scripts/pincer.sh" ~/.local/bin/pincer
Dependencies:
clawhubโ for fetching skillsuvxโ for mcp-scan (brew install uv)jqโ for JSON parsing
Usage
Safe Install
# Instead of: clawhub install some-skill
pincer install some-skill
# With specific version
pincer install some-skill@1.2.0
Scan Without Installing
# Scan a ClawHub skill
pincer scan some-skill
# Scan a local directory
pincer scan ./path/to/skill
# JSON output for automation
pincer scan some-skill --json
Audit Installed Skills
# Quick-scan all installed skills
pincer audit
# JSON output
pincer audit --json
Manage Trust
# Add trusted publisher (auto-approve clean skills)
pincer trust add steipete
# Remove from trusted
pincer trust remove old-publisher
# Block a publisher or skill
pincer trust block suspicious-dev
pincer trust block malware-skill
# Unblock
pincer trust unblock redeemed-dev
# List all trust settings
pincer trust list
View History
# See what you've installed
pincer history
# JSON output
pincer history --json
Configuration
# Show current config
pincer config show
# Edit in $EDITOR
pincer config edit
# Reset to defaults
pincer config reset
What It Checks
Via mcp-scan (Invariant Labs)
- Prompt injection attacks
- Malware payloads in natural language
- Tool poisoning
- Sensitive data exposure
- Hard-coded secrets
Additional Pattern Detection
| Pattern | Risk | Description |
|---|---|---|
| Base64 commands | ๐จ High | Encoded shell commands |
| Hex payloads | ๐จ High | Obfuscated binary data |
xattr -d quarantine | ๐จ High | macOS Gatekeeper bypass |
curl | sh | ๐จ High | Pipe to shell execution |
| Password archives | ๐จ High | Hidden malicious payloads |
| Download + execute | โ ๏ธ Medium | chmod +x && ./ patterns |
eval $var | โ ๏ธ Medium | Dynamic code execution |
| Hidden files | โ ๏ธ Medium | Dot-file creation |
| Persistence | โ ๏ธ Medium | cron/launchd entries |
Publisher & Provenance
- Publisher reputation (trusted list)
- Download count threshold
- Skill age threshold
- Blocklist checking
Binary Detection
- Scans for bundled executables
- Flags Mach-O, ELF, PE32 binaries
Risk Levels
| Level | Meaning | Action |
|---|---|---|
| โ CLEAN | No issues | Auto-approve if trusted publisher |
| โ ๏ธ CAUTION | Warnings present | Prompt for approval |
| ๐จ DANGER | Suspicious patterns | Block (override with --force) |
| โ ๏ธ MALWARE | Known malicious | Block (cannot override) |
| โ BLOCKED | On blocklist | Block (cannot override) |
Configuration
Config: ~/.config/pincer/config.json
{
"trustedPublishers": ["openclaw", "steipete", "invariantlabs-ai"],
"blockedPublishers": [],
"blockedSkills": [],
"autoApprove": "clean",
"logInstalls": true,
"minDownloads": 0,
"minAgeDays": 0
}
| Key | Description |
|---|---|
trustedPublishers | Publishers whose clean skills auto-approve |
blockedPublishers | Always block these publishers |
blockedSkills | Always block these specific skills |
autoApprove | "clean" = auto-approve clean+trusted, "never" = always prompt |
logInstalls | Log installations to history file |
minDownloads | Warn if skill has fewer downloads |
minAgeDays | Warn if skill is newer than N days |
Examples
Clean Install
$ pincer install bird
๐ก๏ธ pincer v1.0.0
โ Fetching bird from ClawHub...
Publisher: steipete (trusted)
Stats: 7363 downloads ยท 27 โ
ยท created 1 month ago
๐ก๏ธ pincer Scanning bird...
โ Running mcp-scan...
โ
mcp-scan: passed
โ Checking for suspicious patterns...
โ
Pattern check: passed
โ Checking external URLs...
โ
URL check: passed
โ Checking for bundled binaries...
โ
Binary check: passed
Risk Assessment:
โ
CLEAN โ No issues detected
โ Auto-approved (clean + trusted config).
โ Installing bird...
โ
Installed successfully!
Dangerous Skill Blocked
$ pincer install sketchy-tool
๐ก๏ธ pincer v1.0.0
โ Fetching sketchy-tool from ClawHub...
Publisher: newaccount (unknown)
Stats: 12 downloads ยท 0 โ
ยท created 2 days ago
๐ก๏ธ pincer Scanning sketchy-tool...
โ Running mcp-scan...
๐จ mcp-scan: high-risk warnings
โ Checking for suspicious patterns...
๐จ Pattern check: suspicious patterns found
โข curl/wget piped to shell
โข macOS quarantine removal (xattr)
โ Checking external URLs...
โ ๏ธ URL check: external URLs found
โข http://sketchy-domain.xyz/install
โ Checking for bundled binaries...
โ
Binary check: passed
Risk Assessment:
๐จ DANGER โ Suspicious patterns detected
โข mcp-scan: high-risk patterns detected
โข curl/wget piped to shell
โข macOS quarantine removal (xattr)
โ ๏ธ Install blocked. Use --force to override (not recommended).
Credits
- mcp-scan by Invariant Labs โ core security scanning
- 1Password Security Research โ threat analysis that inspired this tool
- Snyk ToxicSkills Report โ ecosystem threat research
License
MIT
Stay safe out there. ๐ก๏ธ
Overview
Pincer adds a security layer before installing agent skills. It wraps clawhub install and scans for malware, prompt injection, and suspicious patterns prior to installation. This reduces risk from compromised or malicious skills.
How This Skill Works
Pincer uses mcp-scan (via Invariant Labs) to inspect skill payloads and patterns, flagging risks such as malware, prompt injections, and hard-coded secrets. It provides commands for safe install, scan, and audit, plus trust management and JSON outputs for automation. A local script is installed to PATH for easy access.
When to Use It
- Before installing any new ClawHub skill to ensure safety
- When auditing all installed skills for threats
- When scanning a local skill directory before install
- During publisher trust management to auto-approve clean skills
- In automation pipelines needing JSON output for security checks
Quick Start
- Step 1: Install pincer to PATH (chmod +x scripts/pincer.sh and symlink to ~/.local/bin/pincer)
- Step 2: pincer install some-skill to safely install after scanning
- Step 3: Optional: pincer audit or pincer scan for ongoing safety
Best Practices
- Always run pincer scan before pincer install
- Run pincer audit regularly on installed skills
- Maintain a trusted publishers list and block suspicious ones
- Verify dependencies (clawhub, uvx, jq) are up to date
- Use JSON output for CI/CD automation
Example Use Cases
- Install a new skill safely by running pincer install my-skill
- Scan a local directory before adding it to your environment
- Audit all installed skills to detect hidden threats
- Manage publishers by adding a trusted source with pincer trust add
- Review install history to track changes
Frequently Asked Questions
Add this skill to your agents
