Vetting Plugins + Tools

Level 4 · Course 23

Free tools are not automatically safe. A plugin, ClawHub skill, platform integration, extension, script, or package can look like a helpful shortcut and still read files it should never touch, call services you did not approve, or change behavior after an update. This applies to anything asking for file, network, shell, or config access — not just random internet tools, but platform components and workspace integrations as well. Your agent wants useful tools. You need it to verify them before they touch the workspace.

This course installs a tool-vetting gate. Your agent checks what the tool is, where it came from, what permissions it needs, what files it can reach, whether it executes code, whether it calls the network, and whether there is a simpler built-in path. The question is not "does this tool work?" The question is "what can this tool do if it goes bad?"

You do not have to become a security engineer. You need a repeatable pause before installing or running something new. After this course, your agent treats every plugin, script, skill, ClawHub integration, repo, and browser extension as untrusted until it passes the gate.

The Vetting Gate

Before your agent installs anything — a plugin, a script, a skill, a browser extension — it runs seven checks. Each check has one question. The gate takes three minutes. The answer to each is pass, warn, or fail. You review the report before anything touches the workspace.

1 — Origin
Who built this? One person? A team? Anonymous? When was it last updated?
2 — Permissions
What does it ask to access? Files? Network? Config? Email? Shell? Can it write, or can it only read?
3 — Network
Does it call home? What URLs does it reach? Is there a stated reason for each external call?
4 — Dependencies
What does it install alongside itself? npm packages? Python libraries? System tools? Are any of those flagged?
5 — Scope
What files can it touch? Is it scoped to its own directory, or can it roam the workspace?
6 — Simpler Path
Is there already a built-in way to do this? A shell command? A platform feature? A one-liner?
7 — Sandwich Test
Install it in a sandbox first. Does it do what it claims? Does it do anything it didn't claim?

What the Agent Produces

After running the gate, your agent outputs a vetting report — one line per check, with a status. You review it. The operator decides whether to proceed. Nothing installs until you sign off.

Pass Origin — Published by a 12-person team. Last updated 3 weeks ago. Public repository with 200+ commits and active issue tracker.
Pass Permissions — Read-only file access within the project directory. No write access. No shell execution.
Warn Network — Makes one external call to analytics.example.com on install. No stated reason in documentation. Call is present but not explained.
Fail Dependencies — Installs 15 packages including a network proxy library. This is a text formatter. No justification for the dependency count.
Pass Scope — Operates only inside the /plugins/ subdirectory. Cannot access the workspace root or config files.
Warn Simpler Path — Core function replicates a built-in shell command. Added features may justify the install, but this should be confirmed before proceeding.
Pass Sandwich Test — Sandbox install matched claimed behavior. No undocumented file writes or unexpected network calls observed.

This report has two red flags: an unexplained external call and 15 dependencies for a text formatter. The report doesn't decide for you. It surfaces what you need to decide before anything runs in the live workspace.

When the Tool Includes Code

For tools that include actual code — a package, repo, script, or install manifest — the vetting splits into two roles. Your main agent runs the 7 checks, manages the decision, and explains the risk to you. Claude Code (your code-review agent) inspects the source directly: checking declared permissions, network calls, install scripts, dependency chains, and file-write behavior. Neither role decides alone. The operator approves or rejects before anything runs in the live workspace.

The split is clean: main agent handles the conversation and the decision; code-review agent handles the technical inspection. You stay in the loop at the end, not buried in the middle of it.

"Not 'does this work?' — 'what can this do if it goes bad?' That's the difference between a tool and a liability."

You decide: before your next skill install, run this gate. Most installs pass everything except one check. You find it before your agent does.

Your Agent PDF

Your agent executes the PDF. You read the page. No copying. No manual setup.

Download PDF — Course 23

Questions? [email protected]My Courses