Skillv1.0.0

ClawScan security

Skillstore · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 17, 2026, 1:34 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs largely match its stated purpose (search/install/create skills); nothing obviously malicious, but there are a few inconsistencies and expected risks (shell execution when installing, local filesystem reads) you should review before use.
Guidance: This skill appears to do what it says: search built-in/local/GitHub skills and install/create skills. Before installing or using it, review the main.js install/exec logic (look for exactly what commands it runs when installing a GitHub repo). Expect the CLI to read sibling skill directories (it scans SKILL.md/README.md), and expect it to write a local config.json in the skill directory. When installing a skill from GitHub, manually inspect the repo (or test in an isolated environment) because installers commonly shell out and may run repo-provided scripts. Also note the docs claim a different local-skill path (~/.openclaw/...) than the code uses — verify where it will actually search on your system if that matters.

Review Dimensions

Purpose & Capability: noteName/description (search/install/create skills) align with the included code and docs. Minor mismatch: SKILL.md says local skills are in ~/.openclaw/workspace/skills/, but main.js.searchLocal looks at the parent directory of the skill (path.join(__dirname, '..')). That's inconsistent but plausibly an implementation detail.
Instruction Scope: noteSKILL.md instructs searching known, local, and GitHub sources and installing from GitHub. main.js implements these searches, reads local skill files (SKILL.md/README.md) in sibling directories, queries the GitHub search API, and references child_process.exec (used for installs). The instructions do not show exact install commands the script will run — the presence of exec means installs could run arbitrary shell commands from repos, which is expected behavior for an installer but increases risk if you don't review targets first.
Install Mechanism: noteNo install spec is declared (instruction-only), and no external archive downloads or extract steps are present in repository metadata. The included main.js uses HTTPS to call the GitHub API and uses child_process.exec for operations (likely cloning/installing). No suspicious external download URLs or shorteners were found in the provided files.
Credentials: okThe skill declares no required env vars or credentials and its code does not read secrets or environment variables. It uses only public GitHub API calls and local filesystem access relative to the skill location.
Persistence & Privilege: okThe skill is not always-enabled, and it stores state in a local config.json (CONFIG_FILE in its directory). It does not request elevated privileges or modify other skills' configs according to the provided files.