Skill Soup
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about generating skills, but it can use a saved account token to autonomously publish generated skills/repos and trust evolving builder prompts without clear approval boundaries.
Only use this skill if you intentionally want an agent to sign in, generate skills, and potentially publish GitHub-backed outputs. Prefer a test account, protect or delete `.soup/auth.json` when done, avoid continuous/default generation unless you understand the effects, and manually inspect all generated skills before allowing publication.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could end up publishing generated skills or GitHub repositories under their account when they only intended to run or test the skill.
The default generation workflow can perform high-impact API actions that publish generated skills and create GitHub repositories, with no visible per-publish confirmation in the provided artifacts.
No arguments, `--continuous`, or user says "generate", "run" | **Generate** ... Validate and publish the result (the API creates a GitHub repo automatically)
Require an explicit preview and user confirmation before publishing, default to dry-run for no-argument invocations, and document rollback/delete steps for created repos and published skills.
The saved token can authorize ecosystem actions such as publishing and voting, and may be exposed if the workspace is shared or checked into another location.
The skill requires and persists account authentication for later API actions, while the registry metadata lists no primary credential; token scope, file permissions, and cleanup are not described.
Authenticate with the Skill Soup API via GitHub device flow ... save it to `.soup/auth.json` ... Use the token as `Authorization: Bearer <TOKEN>` in all subsequent API calls.
Declare the credential requirement, document token scope and storage, set restrictive file permissions, provide logout/revoke instructions, and recommend using a limited/test account.
A bad or compromised builder could steer the agent into producing unsafe skills that are then published or reused by others.
Persisted and re-synced builder instructions are treated as operational guidance for generating publishable skills, but the provided artifacts do not show trust filtering, sandboxing, or controls against poisoned builder prompts.
Select a builder tool from the pool ... Follow the builder's instructions to generate a new Agent Skill ... If `.soup/builders/` has builders but `.soup/last_sync` is missing or older than 5 minutes → proceed to Step 2 (re-sync)
Treat builder instructions as untrusted input, pin or approve builder sources, prevent builders from overriding runner safety rules, and require security review before publishing generated skills.
Unsafe builder mutations can propagate through generated skills and affect other users of the Skill Soup ecosystem.
The ecosystem explicitly evolves builder instructions that later generate skills, but the provided artifacts do not show provenance checks, signing, security gates, or containment before evolved outputs are reused or published.
Reference for rewriting a builder's SKILL.md during evolution ... produce a child builder that generates differently-structured or differently-instructed skills than its parent.
Add provenance tracking, signed/pinned builder versions, automated safety checks, and human approval gates before evolved builders or generated skills are published.