Wyld Stallyns: Be Excellent ๐ธ
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: wyld-stallyns Version: 1.0.4 The skill is suspicious due to the `summon forge <candidate>` command described in `SKILL.md` and detailed in `FORGE.md`. The `FORGE.md` instructions direct the AI agent to 'research the candidate deeply' (potential for external interaction/search query injection) and, more critically, to 'Save markdown file: `skills/wyld-stallyns/assets/legends/[legend-id].md`' and 'Add to `council.json`'. These file write operations, based on user-provided input for `<candidate>`, present a significant risk for path traversal (writing files outside the skill's directory) and prompt injection (injecting malicious markdown instructions into the generated `.md` file or malforming `council.json`), as no input sanitization is explicitly mentioned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A custom legend could shape future responses, so poorly reviewed or instruction-like legend text could steer the assistant in later conversations.
This shows the skill intentionally supports saving user-created legend content into persistent skill assets and registering it for future use.
Save markdown file: `skills/wyld-stallyns/assets/legends/[legend-id].md` ... Add to `council.json`
Review custom legends before adding them, keep them limited to perspective and advice content, and avoid storing secrets or instructions that override normal assistant behavior.