skill-list
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill coherently lists installed OpenClaw skills, with minor notice that it reads local skill metadata and invokes the local clawhub CLI.
This appears safe for its stated purpose. Before using it, be aware that it will inspect your local OpenClaw skills directory and call the local `clawhub list` command to show installed skills.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script depends on the local `clawhub` binary and will display whatever that trusted CLI reports.
The helper script invokes the local `clawhub` command. This is purpose-aligned for listing skills, uses an argument array rather than shell interpolation, and does not include user-controlled command construction.
result = subprocess.run(['clawhub', 'list'], capture_output=True, text=True)
Use it in an environment where the `clawhub` CLI is installed and trusted; declaring this dependency in metadata would make the requirement clearer.
Installed skill names and short descriptions may be surfaced to the agent/user, including any untrusted text present in those descriptions.
The script reads description lines from installed skills' SKILL.md files and prints them. This is central to the skill's purpose, but those descriptions are local persisted metadata from other skills and should be treated as metadata, not instructions.
SKILLS_DIR = os.path.expanduser("~/.openclaw/workspace/skills") ... with open(skill_md, 'r', encoding='utf-8') as f: ... if 'description:' in line.lower(): ... return desc[:100]Treat listed descriptions as informational only, and avoid placing secrets or operational instructions in skill description fields.