Add 5 missing skills to repo for sync coverage

github-repo-search, gooddays-calendar, luxtts,
openclaw-tavily-search, skill-vetter — previously only
in workspace, now tracked in Gitea for full sync.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

skills/skill-vetter/.clawhub/origin.json

@@ -0,0 +1,7 @@
+{
+  "version": 1,
+  "registry": "https://clawhub.ai",
+  "slug": "skill-vetter",
+  "installedVersion": "1.0.0",
+  "installedAt": 1773199291047
+}

skills/skill-vetter/SKILL.md

@@ -0,0 +1,138 @@
+---
+name: skill-vetter
+version: 1.0.0
+description: Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
+---
+
+# Skill Vetter 🔒
+
+Security-first vetting protocol for AI agent skills. **Never install a skill without vetting it first.**
+
+## When to Use
+
+- Before installing any skill from ClawdHub
+- Before running skills from GitHub repos
+- When evaluating skills shared by other agents
+- Anytime you're asked to install unknown code
+
+## Vetting Protocol
+
+### Step 1: Source Check
+
+```
+Questions to answer:
+- [ ] Where did this skill come from?
+- [ ] Is the author known/reputable?
+- [ ] How many downloads/stars does it have?
+- [ ] When was it last updated?
+- [ ] Are there reviews from other agents?
+```
+
+### Step 2: Code Review (MANDATORY)
+
+Read ALL files in the skill. Check for these **RED FLAGS**:
+
+```
+🚨 REJECT IMMEDIATELY IF YOU SEE:
+─────────────────────────────────────────
+• curl/wget to unknown URLs
+• Sends data to external servers
+• Requests credentials/tokens/API keys
+• Reads ~/.ssh, ~/.aws, ~/.config without clear reason
+• Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md
+• Uses base64 decode on anything
+• Uses eval() or exec() with external input
+• Modifies system files outside workspace
+• Installs packages without listing them
+• Network calls to IPs instead of domains
+• Obfuscated code (compressed, encoded, minified)
+• Requests elevated/sudo permissions
+• Accesses browser cookies/sessions
+• Touches credential files
+─────────────────────────────────────────
+```
+
+### Step 3: Permission Scope
+
+```
+Evaluate:
+- [ ] What files does it need to read?
+- [ ] What files does it need to write?
+- [ ] What commands does it run?
+- [ ] Does it need network access? To where?
+- [ ] Is the scope minimal for its stated purpose?
+```
+
+### Step 4: Risk Classification
+
+| Risk Level | Examples | Action |
+|------------|----------|--------|
+| 🟢 LOW | Notes, weather, formatting | Basic review, install OK |
+| 🟡 MEDIUM | File ops, browser, APIs | Full code review required |
+| 🔴 HIGH | Credentials, trading, system | Human approval required |
+| ⛔ EXTREME | Security configs, root access | Do NOT install |
+
+## Output Format
+
+After vetting, produce this report:
+
+```
+SKILL VETTING REPORT
+═══════════════════════════════════════
+Skill: [name]
+Source: [ClawdHub / GitHub / other]
+Author: [username]
+Version: [version]
+───────────────────────────────────────
+METRICS:
+• Downloads/Stars: [count]
+• Last Updated: [date]
+• Files Reviewed: [count]
+───────────────────────────────────────
+RED FLAGS: [None / List them]
+
+PERMISSIONS NEEDED:
+• Files: [list or "None"]
+• Network: [list or "None"]  
+• Commands: [list or "None"]
+───────────────────────────────────────
+RISK LEVEL: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME]
+
+VERDICT: [✅ SAFE TO INSTALL / ⚠️ INSTALL WITH CAUTION / ❌ DO NOT INSTALL]
+
+NOTES: [Any observations]
+═══════════════════════════════════════
+```
+
+## Quick Vet Commands
+
+For GitHub-hosted skills:
+```bash
+# Check repo stats
+curl -s "https://api.github.com/repos/OWNER/REPO" | jq '{stars: .stargazers_count, forks: .forks_count, updated: .updated_at}'
+
+# List skill files
+curl -s "https://api.github.com/repos/OWNER/REPO/contents/skills/SKILL_NAME" | jq '.[].name'
+
+# Fetch and review SKILL.md
+curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
+```
+
+## Trust Hierarchy
+
+1. **Official OpenClaw skills** → Lower scrutiny (still review)
+2. **High-star repos (1000+)** → Moderate scrutiny
+3. **Known authors** → Moderate scrutiny
+4. **New/unknown sources** → Maximum scrutiny
+5. **Skills requesting credentials** → Human approval always
+
+## Remember
+
+- No skill is worth compromising security
+- When in doubt, don't install
+- Ask your human for high-risk decisions
+- Document what you vet for future reference
+
+---
+
+*Paranoia is a feature.* 🔒🦀

skills/skill-vetter/_meta.json

@@ -0,0 +1,6 @@
+{
+  "ownerId": "kn71j6xbmpwfvx4c6y1ez8cd718081mg",
+  "slug": "skill-vetter",
+  "version": "1.0.0",
+  "publishedAt": 1769863429632
+}