Skill Search
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local skill-search tool; it runs included Python helpers and stores a local index of installed skill metadata, but the artifacts do not show malicious behavior.
This skill appears safe for local skill discovery. Before installing, be aware that it runs included Python scripts, reads your installed OpenClaw skill folders, and may persist a local search index. Treat suggested skills and confidence scores as search hints, not approval or safety guarantees.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may expect only instructions, but using the skill involves running included local Python code.
The registry-style metadata frames the skill as instruction-only while the artifact includes runnable helper scripts. The scripts are disclosed and purpose-aligned, but this is worth noticing before installation.
No install spec — this is an instruction-only skill. ... Code file presence: scripts/embeddings.py; scripts/skill_search.py
Install only if you are comfortable with the included scripts being invoked for local skill search; keep the code reviewed when updating the skill.
Installed skill names, descriptions, paths, triggers, and derived search text may persist locally and influence future recommendations.
The script scans installed skill folders, extracts searchable text from SKILL.md files, and persists it into a local JSON index. This is central to the skill's purpose, but it means skill metadata can be stored and reused later.
SKILL_DIRS = ["/usr/local/lib/node_modules/openclaw/skills", os.path.expanduser("~/.openclaw/workspace/skills")]
... "search_text": combined_text[:2000]
... json.dump(skills, f, indent=2)Treat search results as discovery hints, inspect a matched skill's full SKILL.md before using it, and rebuild or delete the index after removing untrusted skills.
The agent may present recommendations as more intelligent or authoritative than the local heuristic search supports.
The documentation labels the suggestion mode as LLM/AI-powered, while the provided implementation routes suggestions through local hybrid search. This is not malicious, but it could make users overvalue the displayed confidence labels.
3. **LLM Task Matching** (AI-powered) — Describe your task, get skill recommendations
Use the recommendations as a starting point only, and verify the selected skill's purpose and permissions before relying on it.