Skillv1.0.0

ClawScan security

skill-refiner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 3:41 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and scripts match its stated purpose (finding and auditing skills), but the runtime instructions explicitly recommend deleting and moving files across the entire workspace, which is potentially destructive and surprising if executed autonomously.
Guidance: This package is functionally what it says (it discovers and audits SKILL.md files), but its runtime instructions recommend destructive fixes (deleting README.md, moving directories, renaming skills) that could remove or relocate many user files. Before installing or allowing autonomous invocation: 1) Inspect scripts locally and run them yourself in read-only mode (bash scripts/find_skills.sh and python3 scripts/audit_skill.py) to review the audit output. 2) Make a full backup of your workspace. 3) Do not grant the skill permission to run shell commands autonomously unless you trust it; prefer manual application of fixes after reviewing each change. 4) If you want automation, consider forking the skill and removing or changing the destructive 'fix' steps (or add a dry-run flag and explicit user confirmation for any delete/move operations).

Review Dimensions

Purpose & Capability: okThe name/description match the packaged artifacts: scripts/find_skills.sh searches the workspace for SKILL.md files and scripts/audit_skill.py performs the compliance checks the README/SKILL.md describe. No unrelated binaries, services, or env vars are requested.
Instruction Scope: concernSKILL.md instructs an exhaustive search of the entire workspace and provides step-by-step 'Fix non-compliant skills' actions that include deleting files (README.md, CHANGELOG.md), renaming directories, and moving skills into ~/.openclaw/workspace/skills/<skill-name>/. The included scripts only perform discovery and auditing (read-only), but the instructions encourage destructive filesystem changes. If an agent follows the SKILL.md instructions autonomously or runs ad-hoc shell commands, this could result in mass file moves/deletions across the user's workspace.
Install Mechanism: okNo remote install or downloads are specified (instruction-only skill with local scripts). All code is bundled; there are no external URLs, package installs, or extraction steps. Risk from install mechanism is low.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The actions it describes operate on local files only, which is proportionate to an auditing/fixing tool.
Persistence & Privilege: noteThe skill is not always-included and requests no special privileges. However, because the SKILL.md explicitly tells the agent how to modify/move/delete many files across the workspace, granting the agent autonomous execution rights (or allowing it to run these shell commands) increases blast radius. The scripts themselves do not automatically perform fixes, but the instructions could be executed by the agent or a user.