ClawHub

Agent Portability Checker

v1.1.3

Audit agent skills for platform lock-in and cross-agent compatibility. Use when checking if a skill is portable, making a skill work across multiple agents (...

0· 67·0 current·0 all-time
by@99rebels
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the included scripts/audit.py are coherent: the repository contains an auditing script that looks for hardcoded paths, XDG fallbacks, SKILL_DATA_DIR usage, User-Agent strings, platform CLI invocations, headless setup flags, and credential env-var support. No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope
SKILL.md tells the agent to run python3 scripts/audit.py <skill_dir> (and optionally --fix). The script will recursively read the provided directory and, when --fix is used, apply auto-fixes to files. This behavior is expected for a portability fixer but means the skill can modify files in any directory the agent is pointed at — review changes before applying --fix and avoid pointing it at sensitive system paths.
Install Mechanism
No install spec is provided (instruction-only with one helper script). This is the lowest-risk model: nothing is downloaded or installed automatically by the skill.
Credentials
The skill declares no required environment variables, no credentials, and no config-path access. The script itself searches target files for credential handling but does not request secrets from the runtime environment.
Persistence & Privilege
always:false and no special privileges are requested. However, the skill can be invoked autonomously (platform default) and — when given a path — can write changes to that path via its auto-fix mode. The combination of autonomous invocation and file-writing capability is not inherently malicious but merits caution (run audits read-only first; limit the directories the skill may inspect/modify).
Assessment
This skill appears to do what it says: audit a skill directory and optionally auto-fix portability issues. Before using --fix, run the audit in read-only or --json mode and inspect the findings. If you allow auto-fix, back up the target directory or review diffs produced by the script. Do not point the tool at system or home-root paths you don't want modified. If you plan to let agents call this skill autonomously, restrict which directories the agent may pass as <skill_dir> so it cannot scan or modify arbitrary filesystem locations.

Like a lobster shell, security has layers — review code before you run it.

latestvk979v4hhnhjtdscmsmrvj404a18489rq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments