Skill Validator
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is legitimate, but its validator can run shell scripts from the skills it tests without sandboxing or confirmation.
Use this only on skills you already trust, or run it in an isolated sandbox. Avoid validating unknown/new skills with the execution-based workflow until it supports static-only checks, explicit approvals, and containment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a newly installed or malicious skill contains a harmful script, validating it could run that script with the user/agent’s local permissions.
The validator executes shell scripts from the skill being tested instead of only inspecting them. The provided code does not sandbox those executions or require explicit approval at the execution point.
first_script=$(ls "$SKILL_PATH/scripts"/*.sh 2>/dev/null | head -1) ... output=$($first_script 2>&1) && result=0 || result=$? ... output=$(bash "$SKILL_PATH/scripts/diagnose.sh" 2>&1 | head -5)
Make static analysis the default. Only execute target skill code after explicit user approval, inside a sandbox/container with timeouts, resource limits, restricted filesystem access, and preferably no network access.
A user asking to validate recent skills could unintentionally run code from several newly installed skills, increasing the blast radius if one is unsafe.
The recent-skill workflow chains validation over multiple installed skills. Because validate.sh may execute target skill scripts, one request can trigger multiple untrusted script executions without per-skill confirmation.
for skill in $recent_skills; do
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
bash ~/.openclaw/workspace/skills/skill-validator/scripts/validate.sh "$skill"
doneAdd per-skill confirmation, provide a static-only mode, clearly show which scripts would be executed, and avoid batch execution of target code by default.
Some documented commands may fail or may later depend on code that was not part of this review.
The documentation references runtime helper scripts that are not included in the supplied file manifest. This is not malicious by itself, but it means advertised capabilities are incomplete or would require unreviewed files.
bash ~/.openclaw/workspace/skills/skill-validator/scripts/validate-all.sh ... ├── test-basic.sh ├── test-edge.sh └── test-security.sh
Include all referenced helper scripts in the package, remove unsupported commands from the documentation, and align the manifest with the documented runtime behavior.