Skill Creator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: skill-creator Version: 0.1.0 The skill is classified as suspicious primarily due to the `scripts/init_skill.py` file. This script creates a new skill directory and, as part of its templating process, generates an `example.py` file within the `scripts/` subdirectory, setting its permissions to `0o755` (executable). While the content of the generated `example.py` is a benign placeholder, the capability to create executable files in a user-specified path, even for templating, represents a significant security risk if the script's inputs were controlled by a malicious actor or if the template itself were altered. The `SKILL.md` and other files are instructional and do not contain malicious prompt injection or other harmful behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user later shares the generated .skill file, unintended local files inside the chosen folder could be included.
The packager includes every file under the selected skill directory in the .skill archive. This is core to packaging, but it can capture unintended files if the folder contains secrets, hidden files, symlinks, or extra artifacts.
for file_path in skill_path.rglob('*'): ... zipf.write(file_path, arcname)Before packaging or sharing, inspect the skill directory and archive contents; keep credentials, private notes, build outputs, and unrelated files out of the skill folder.
Users have less external context for verifying the origin of the bundled scripts.
The registry metadata does not identify an upstream source or homepage. This does not show unsafe behavior, but it limits external provenance checks for a skill that includes runnable helper scripts.
Source: unknown; Homepage: none
Install only if you trust the publisher or have reviewed the bundled files you plan to run.