Decomposes complex user requests into executable subtasks, identifies required capabilities, searches for existing skills at skills.sh, and creates new skills when no solution exists. This skill should be used when the user submits a complex multi-step request, wants to automate workflows, or needs help breaking down large tasks into manageable pieces.
v1.0.0Decomposes complex user requests into executable subtasks, identifies required capabilities, searches for existing skills at skills.sh, and creates new skills when no solution exists. This skill should be used when the user submits a complex multi-step request, wants to automate workflows, or needs help breaking down large tasks into manageable pieces.
⭐ 1· 2.4k·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description describe decomposition, capability mapping, skills search and generation; SKILL.md, README and reference files implement that workflow. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
Instructions stay within the stated domain: break down tasks, map capabilities, search skills.sh and create skill templates. Examples mention using service credentials (email, Slack tokens) as inputs for specific tasks — this is expected for real integrations, but the skill does not itself instruct broad file reads or exfiltration. It does instruct using the Skills CLI (npx) to search/install skills, which lets the agent execute network fetches and run remote code when installing found/created skills.
Install Mechanism
There is no install spec and no code files executed by the skill itself (instruction-only), which is low-risk. However the docs and runtime instructions recommend using 'npx skills add'/'npx skills init' — invoking those at runtime will fetch and run code from external sources (npm/GitHub), so installation actions triggered by this skill could carry the usual risks of executing third-party packages.
Credentials
The skill declares no required environment variables, credentials, or config paths. Examples reference service credentials only where they are logically required (e.g., Slack webhook for message_delivery). No disproportionate or unrelated secret requests are present.
Persistence & Privilege
always:false and no special persistence or cross-skill config edits are requested. The skill can be invoked autonomously by the agent (platform default) but it does not request elevated 'always' presence or modify other skills' configs.
Assessment
This skill is internally consistent and does what it says: decompose tasks, map capabilities, and search/create skills. The main practical risk is that following its instructions requires using the Skills CLI (npx) to fetch/install third‑party skills or to initialize new skills — those actions will download and execute external code. Before installing or letting an agent run npx installs: (1) review the code of any skill you plan to install, (2) avoid granting secrets (API keys, tokens) unless you trust the target skill, (3) run installations in an isolated environment or sandbox, and (4) consider restricting the agent's ability to run arbitrary CLI/network commands if you need stronger confinement.Like a lobster shell, security has layers — review code before you run it.
latestvk9768zk3hhev1jgh26e6kdfdxn80k7w2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.