Skill Creator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears benign and purpose-aligned; its helper scripts work locally, but users should inspect folders before packaging because the archive includes everything selected.
It is reasonable to install based on the provided artifacts. If you run the helper scripts, use intentional paths, review generated files, and inspect any .skill archive before sharing it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user later shares the generated .skill file, unintended local files inside the chosen folder could be included.
The packager includes every file under the selected skill directory in the .skill archive. This is core to packaging, but it can capture unintended files if the folder contains secrets, hidden files, symlinks, or extra artifacts.
for file_path in skill_path.rglob('*'): ... zipf.write(file_path, arcname)Before packaging or sharing, inspect the skill directory and archive contents; keep credentials, private notes, build outputs, and unrelated files out of the skill folder.
Users have less external context for verifying the origin of the bundled scripts.
The registry metadata does not identify an upstream source or homepage. This does not show unsafe behavior, but it limits external provenance checks for a skill that includes runnable helper scripts.
Source: unknown; Homepage: none
Install only if you trust the publisher or have reviewed the bundled files you plan to run.