盘古·skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pangu Version: 1.0.2 The 'pangu' skill bundle is a meta-tool designed to automate the creation of other AI agent skills by 'distilling' information from user-provided knowledge bases, folders, or documents. The core logic in SKILL.md follows a highly structured, multi-phase workflow (Phase 0-7) that includes requirement clarification, content analysis, framework extraction, and quality validation. The process incorporates explicit safety checkpoints (Phase 2.5 and 3.5) that require user confirmation before the agent proceeds to build the final skill. No evidence of data exfiltration, unauthorized system access, obfuscation, or malicious prompt injection was found. The skill's behavior is entirely consistent with its stated purpose of productivity and knowledge management within the IMA Copilot and OpenClaw ecosystems.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private notes, proprietary documents, or prior-chat details could be summarized into generated Skill files that may later be reused, zipped, uploaded, or shared.
The skill may process an entire knowledge base or prior conversation and turn that material into persistent Skill content; this is central to its purpose but can carry private or prompt-like content into future reuse.
读取策略:- 完整蒸馏:读取知识库所有文件和文件夹结构 ... - 任务蒸馏:分析对话历史,提取完整工作流
Use a clearly bounded source, exclude secrets and personal data, and review the generated SKILL.md, references, assets, and examples before installing or sharing them.
The agent may create or modify files in the chosen Skill directory as part of normal use.
The instructions direct the agent to create a Skill directory and write files after confirmation. That is purpose-aligned, but it is still local/project file mutation.
Phase 1.5: 创建 Skill 目录 ... 收到确认后立即执行 ... 所有参考文件必须存在 skill 目录内部
Confirm the output path, keep backups for existing Skills, and inspect file diffs before registering or installing the generated Skill.
Any referenced knowledge base that the agent can access may be used as source material for the generated Skill.
The skill relies on the user agent's existing access to an IMA knowledge base. No credentials or tokens are requested, and this access is expected for the stated purpose.
本技能自动读取 IMA 知识库内容并蒸馏 ... 知识库必须可访问 — 使用 `@知识库名称` 引用
Reference only knowledge bases you own or are authorized to process, and avoid granting broader workspace access than needed.