ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Acrid's Skill Creator

v2.0.0

Creates robust, production-grade agent skills from natural language requests, handling design, error management, and code scaffolding for immediate use.

0· 46·0 current·0 all-time
by@acrid-auto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description match its instructions: it is a meta-skill that designs and scaffolds other skills. The SKILL.md, README, and templates all support that purpose. Required binaries/env/configs: none — this is proportional for a generator that only writes files and produces SKILL.md/README templates.
Instruction Scope
The runtime instructions explicitly direct the agent to parse requests, design contracts, and write SKILL.md/README and helper scripts. That scope is appropriate for a skill creator, but it inherently grants the agent discretion to include filesystem operations, external API calls, and environment-variable requirements in the generated skills. The SKILL.md does not itself instruct reading of unrelated system secrets, but generated skills may.
Install Mechanism
No install spec and no code files to execute are provided by the skill itself (instruction-only). This minimizes risk because nothing is downloaded or written by an installer at install-time.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for a meta-skill. Note: generated skills are expected to request env vars or API keys if required by the target integration; those requests should be reviewed on a per-skill basis.
Persistence & Privilege
The skill is not force-included (always: false). It allows autonomous invocation (disable-model-invocation: false), which is the platform default. Because this is a meta-skill that can generate other skills, autonomous invocation increases potential blast radius (the agent could autonomously scaffold new skills), so it's prudent to review and restrict autonomous use if you want tighter control.
Assessment
This meta-skill is coherent with its stated purpose and does not request secrets or install code itself, but exercise caution: 1) Review every generated SKILL.md/README and any helper scripts before running them — generated skills may request API keys, access files, or call external endpoints. 2) If you allow autonomous invocation, consider limiting when/which prompts can trigger this skill so it cannot generate and run code without human review. 3) Verify the upstream source (package.json references a GitHub repo but registry metadata lists source as unknown/homepage none) before trusting outputs. 4) Run generated scripts in a sandbox or CI pipeline and audit any dependencies or network calls the generated skill introduces.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ekrsd3mxs4ha0hyvyhnhydn83s2zw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments