Ai Prompt Library
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-prompt-library Version: 2.0.0 The skill bundle provides a collection of basic shell-based utilities for prompt engineering, such as generating simple templates and estimating token costs. While the description in SKILL.md is heavily keyword-optimized and references external system prompt repositories, the actual code in scripts/script.sh and scripts/system_prompts_and_models_of_ai_tools.sh is harmless, containing only basic text output, local logging to a standard data directory, and a simple Python-based calculator. No evidence of data exfiltration, malicious execution, or significant vulnerabilities was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may expect a complete prompt/model library, but the artifacts look much more limited.
The skill makes very broad completeness claims, while the included scripts appear to provide only basic helper output and a placeholder run command. This is a capability-trust note rather than evidence of malicious behavior.
FULL Augment Code, Claude Code, Cluely, CodeBuddy, Comet, Cursor, Devin AI... System Prompts, Internal Tools & AI Models
Treat the advertised scope as unverified and review the actual files before relying on the skill for comprehensive content.
The evaluate command may run the wrong internal cmd_* helper, or attempt to run a matching external command, instead of simply evaluating output.
The evaluate command constructs the invoked command name from user-supplied arguments instead of calling the fixed cmd_evaluate function. Quoting limits shell injection, but this is still an unexpected dynamic dispatch path.
evaluate) shift; cmd_"$@" ;;
Fix this branch to call `cmd_evaluate "$@"` and avoid using dynamic command names for user-provided arguments.
If a user passes sensitive text as a command argument, part of it may remain in a local history file.
The script persists some command arguments to a local history log. The artifacts do not show reuse of that log for future model context, but users should know input snippets may be stored locally.
DATA_DIR="${AI_PROMPT_LIBRARY_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/ai-prompt-library}" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Avoid passing secrets to this skill, or modify/disable the local history logging if persistent records are not desired.
The skill may not run as expected unless bash and python3 are available, despite the registry showing no requirements.
The registry metadata does not declare runtime requirements, while SKILL.md lists bash 4+ and python3. This is an under-declared packaging/setup detail, not evidence of unsafe installation.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Verify local prerequisites manually and prefer metadata that accurately declares required binaries.