local-skill-manager
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for managing local skills, but users should notice that it can create and permanently delete local skill directories.
This skill is reasonable for managing local skills. Before installing, be aware that it can permanently delete skill folders; prefer dry-run mode first and do not use --force unless you are sure. Also verify the PyYAML dependency source/version if supply-chain hygiene is important to you.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, this could remove local skills and change how the user's agent behaves.
The skill includes a script that can permanently remove a local skill directory, and it supports a force option that skips the confirmation prompt.
force_flag = '--force' in args ... shutil.rmtree(target_path)
Use --dry-run first, avoid --force unless the user explicitly requested deletion, and keep backups of important local skills.
Installing dependencies can introduce supply-chain risk if the package source or version changes unexpectedly.
The skill asks users to install a Python dependency for normal operation; the dependency is purpose-aligned but unpinned and not represented as an install spec.
pip install -r requirements.txt ... `requirements.txt` 包含:`pyyaml`
Install dependencies from a trusted package index and consider pinning PyYAML to a known-good version.
Names, versions, and descriptions of installed local skills may be exposed to the agent during listing, and descriptions from other skills should be treated as data rather than instructions.
The listing script reads descriptions from other local SKILL.md files and prints them into the agent context.
description = meta.get('description', description) ... print(f" {skill['description'][:100]}...")Review listed skill metadata as informational output only, especially if some installed skills come from untrusted sources.