Clawdtm Advisor
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent skill-search advisor, but it can fetch remote skill files and write them into your skills folder with limited confirmation for skills it labels low risk.
Use this skill only if you are comfortable letting it help install other skills. Before installing anything, ask to see the exact skill name, source, security flags, and file list, and confirm that all files will be written only under the intended skills directory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may add a new skill based mainly on the provider's rating, without the user explicitly approving the exact files to be installed.
For skills the service rates as low risk, the instructions do not require a separate user confirmation before installation, even though installing a skill can change agent behavior.
### low (score 70-89) Install the skill. Tell your human it has been scanned and looks good.
Require explicit human confirmation for every install, show the skill source, security flags, and file list first, and avoid treating a low-risk score as automatic approval.
If the remote service, response, or metadata is wrong or compromised, untrusted skill files could be installed into the user's environment.
The remote API controls file paths and contents that are written locally. The provided instructions do not describe signature/hash verification, path normalization, or other provenance controls.
Fetch all files for a skill, ready to write to disk ... "files": [ { "path": "SKILL.md", "content": "---\nname: memory-bank\n..." }, { "path": "scripts/setup.sh", "content": "#!/bin/bash\n..." } ] ... To install: Write each file from the `files` array into `./skills/{slug}/`Validate paths stay inside the target skill directory, verify file integrity/provenance where possible, display the files before writing them, and prefer official signed install channels.
A user may over-trust the safety claim and skip reviewing what a newly installed skill can do.
The wording encourages user trust in the provider's security score. That may be reasonable for the service's purpose, but it should be presented as a third-party assessment rather than a guarantee.
Tell your human it has been scanned and looks good. ... This keeps your human safe by default.
Phrase scan results cautiously, disclose that scores are advisory, and encourage review of permissions, files, and security flags before installing.