Skill Engineer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for skill development, but it mandates broad memory searches and includes a default GitHub push step that could expose private context or publish changes without clearly scoped approval.
Before installing, decide whether you want this skill to query broad vector memory and pass context through multiple subagents. Disable or tightly scope memory search if private notes or secrets are indexed, review the DeepWiki dependency separately, and require an explicit human approval with a visible diff before any GitHub commit or push.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private notes, prior conversations, or remembered configuration details could be pulled into the current task and potentially influence or appear in generated skills or reports.
This requires broad persistent-memory access across private notes and prior sessions before ordinary file search, but the provided text does not clearly bound paths, exclusions, redaction, retention, or reuse in generated skill artifacts.
Before searching files manually, always query the vector memory database first. It indexes session history, Obsidian notes, and memory files
Only enable this with a clearly scoped memory index; exclude secrets/private notes, require user confirmation before broad memory searches, and add instructions not to copy sensitive memory into outputs.
The agent could publish incorrect, sensitive, or unwanted skill changes to a remote repository if the workflow is followed too automatically.
Pushing to GitHub is presented as a normal final workflow step, which can mutate a remote repository or publish generated content, but the provided artifacts do not show explicit user approval, target repo/branch limits, or rollback guidance.
README Sync → Push to GitHub ... Step 11 | Push to GitHub | Orchestrator | After README sync
Require explicit user confirmation before any commit or push, show a diff, specify the exact repository and branch, and prefer pull requests or dry-runs over direct pushes.
Installing the dependent DeepWiki skill may add behavior or access not evaluated here.
The skill declares an external skill dependency that is not reflected in the registry requirements and whose contents are not included in the reviewed artifact set.
`deepwiki` | Skill | Query OpenClaw source for current API behavior | `liaosvcaf/openclaw-skill-deepwiki`
Review and pin the DeepWiki dependency separately, declare it in metadata, and avoid treating unreviewed dependency output as fully trusted.
Information supplied for skill design may be shared among spawned subagents, increasing the number of contexts where sensitive details can appear.
The multi-agent Designer/Reviewer/Tester pattern is central and disclosed, but it means user requirements and generated artifacts may be passed across several agent sessions.
must be able to spawn subagents (e.g., via `sessions_spawn` in OpenClaw) ... At least 3 subagent sessions available per skill design cycle
Use non-sensitive requirements where possible, define what data each subagent receives, and avoid sending secrets or private memory results to reviewer/tester agents unless necessary.