Skill Vetter
Security checks across malware telemetry and agentic risk
Overview
This is an instruction-only security checklist with no runnable code or credentials, though users should notice the metadata mismatch and optional GitHub lookup commands.
This looks generally safe to install as an instruction-only checklist. Before installing, verify the package identity because the registry and _meta.json metadata differ, and when using its GitHub commands, make sure they target only the repository you intended to review.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent may make outbound requests to GitHub to inspect a repository.
The skill documents optional shell/network commands for reviewing GitHub-hosted skills. This is expected for the vetting purpose, but users should ensure the placeholders are replaced with the intended repository before use.
curl -s "https://api.github.com/repos/OWNER/REPO" ... curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
Use these commands only for the intended repository and review fetched content before trusting it.
A user may need to verify they are installing the intended listing and version.
The packaged metadata does not match the registry metadata provided in the review input, which lists a different owner ID, slug, and version. No runnable code is present, so this is a provenance consistency note rather than evidence of harmful behavior.
"ownerId": "kn71j6xbmpwfvx4c6y1ez8cd718081mg", "slug": "skill-vetter", "version": "1.0.0"
Confirm the registry page, owner, and version before installing, and keep packaged metadata synchronized with the published listing.