Skeall Skill Builder
ReviewAudited by ClawScan on May 10, 2026.
Overview
Skeall is a coherent instruction-only skill builder/auditor, but its healthcheck mode can inspect local agent configs and recent session logs, so it deserves review before use.
Using Skeall to create, scan, or improve a specific skill appears aligned with its purpose. Be careful with `--healthcheck` and especially `--healthcheck-all`: review what local config files, logs, and URLs it will inspect, avoid sharing raw log/config contents, and review file diffs before accepting any changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running healthcheck could expose recent agent conversation history to the active model context while looking for trigger phrase matches.
Healthcheck mode may read recent agent session logs, which can contain private user prompts, outputs, and workflow details. The path scope is vague and the artifacts do not require explicit consent or redaction before access.
scan `description` trigger phrases against recent platform session logs (if available at `~/.openclaw/logs/` or similar). Zero matches in the last 30 days = confirmed orphan.
Make session-log scanning opt-in, define exact log paths and time windows, avoid printing log contents, and provide a no-log mode.
Local agent configuration details could be brought into context during healthcheck, including settings the user did not expect the skill to inspect.
The healthcheck workflow reads local agent/platform configuration files. That may be purpose-aligned for finding skill registrations, but it is not declared in the requirements and the instructions do not bound which fields are read or how sensitive settings are handled.
Collect all skill registry files: `~/.openclaw/openclaw.json` ... `~/.claude/settings.json` and `~/.claude/settings.local.json` ... `~/.agents/config.json`
Document these paths up front, ask before reading them, parse only the fields needed for skill registration, and redact any unrelated sensitive values from reports.
Running healthcheck may contact external or internal endpoints referenced by installed skills.
URL validation is purpose-aligned for finding stale endpoints, but it causes outbound network requests to URLs discovered in local skill files.
For each real URL, send HTTP HEAD request with 5-second timeout.
Use this mode only when endpoint probing is expected; consider a dry-run, allowlist, and private-network skip rules.
Approved changes may alter how installed agent skills behave in future sessions.
Improve mode can mutate skill files, but the artifact describes user approval before applying edits, which keeps the behavior purpose-aligned.
Ask user: "Fix all? Review one by one? Or just the HIGHs?" ... Apply approved edits.
Review proposed diffs and keep backups or version control before accepting edits.