Skill Refiner
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a benign read-only skill-file auditor, with user-directed shell checks, an optional URL checker, and a persistent review log that users should run intentionally.
This skill is reasonable to install if you want a manual quality-audit checklist for OpenClaw skills. Before using it, be aware that the optional link check makes network requests to URLs found in SKILL.md files, and the generated report is appended to memory/skill-refiner-log.md for future reference.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the optional link check can reveal your network/IP access to websites listed in skill files and may touch tracking or internal URLs.
The skill can make HTTP HEAD requests to URLs parsed from local SKILL.md files. This is optional, disclosed, quoted, and timeout-limited, but it still contacts external or internal URLs if run.
### Step 5: Link Freshness (optional — makes HTTP requests) ... curl -so /dev/null -w "%{http_code}" --max-time 5 -I "$url"Only run the link freshness step when you intend network checks; inspect or restrict URLs first in sensitive or untrusted workspaces.
Review logs may persist across tasks and could influence future reviews if inaccurate or poisoned content is recorded.
The skill stores audit history in a persistent memory path, so filenames, issues, links, and review judgments may be reused or seen in later sessions.
Save to `memory/skill-refiner-log.md`. Append each review — track improvement over time.
Review the generated log, remove sensitive or misleading entries, and treat it as a report rather than authoritative instructions.
A user may not realize the documented workflow depends on local shell tools and curl until they follow the instructions.
The registry requirements do not declare runtime tools, while the SKILL.md says the workflow requires standard tools such as grep, curl, and python3. This is a minor setup/capability disclosure gap, not evidence of hidden code.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare the standard tool requirements in metadata, or keep the SKILL.md dependency notes prominent before any command examples.