Acrid's Skill Creator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only skill for scaffolding other skills, but users should review any generated code, tool use, and permissions before running it.
This appears safe to install as an instruction-only scaffolding skill, but review every generated skill before using it. Pay special attention to generated Bash commands, file writes, external API calls, credentials, dependencies, and any helper scripts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated skill could later read or write files, call websites, or use shell commands if the requested workflow calls for it.
The skill may choose broad agent tools for generated skills. This is purpose-aligned for a skill creator, but users should review generated tool authority before using the output.
Required tools (Bash, WebFetch, WebSearch, Read, Write, Grep, Glob, etc.)
Review each generated SKILL.md before installing or invoking it, especially any steps involving Bash, file writes, external APIs, account actions, or destructive changes.
Generated scripts could affect files, services, or accounts when later run by the agent or user.
The skill can generate runnable Python or Node.js helper scripts for advanced skills. The visible artifacts do not show automatic execution, so this is expected scaffolding rather than hidden code execution.
**Generate helper scripts** (if complexity requires): **Python scripts must:** - Use `argparse` for CLI arguments
Inspect generated helper scripts and any dependencies before running them, and avoid running generated code with unnecessary privileges.
Users may over-trust generated skills and skip review or testing.
The README uses strong quality claims. The artifacts show instruction-based quality guidance, not an independent automated validator, so users should not treat generated skills as automatically production-safe.
generates all files, runs quality gates, and delivers a ready-to-use skill
Treat generated skills as drafts until reviewed, tested, and checked for permissions, credentials, and safe failure handling.
Users have less registry-level provenance information for deciding whether to trust the publisher.
The registry metadata does not establish a source or homepage. Because there is no install script or executable dependency in the supplied artifacts, this is a provenance notice rather than evidence of unsafe installation behavior.
Source: unknown; Homepage: none
Install only if you trust the publisher, and prefer reviewing the full skill contents before using generated outputs.