v1.0.0

Smart Skill Finder

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:51 AM.

Analysis

The skill’s purpose is coherent, but it needs review because its code passes user search text into a shell command and may overstate security verification of recommended skills.

GuidanceBefore installing, confirm the maintainer has removed shell=True or otherwise safely handles user queries, treat security badges as informational unless backed by actual scanner data, and manually review any third-party skill before running the suggested install command.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/ecosystems.py

search_terms = " ".join(query.get('keywords', [])); cmd = f'npx skills find "{search_terms}" --json'; subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=10)

Search terms derived from the user's natural-language query are interpolated into a shell command and run with shell=True. Quoting alone does not prevent a crafted quote or shell metacharacter from changing the command.

User impactA maliciously crafted search request could potentially cause local commands to run on the user’s machine when the skill searches Skills CLI.

RecommendationDo not use shell=True here. Call subprocess with an argument list such as ['npx', 'skills', 'find', search_terms, '--json'], validate/limit query text, and declare the npx/Skills CLI dependency.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/ecosystems.py

install_command=f"npx skills add {skill_data.get('package', '')}", ... security_status='clean'

The Skills CLI parser assigns a clean security status while building an install command, without showing scanner evidence in that branch. The presentation code later maps clean status to a security-verified message.

User impactUsers may trust and install a recommended third-party skill because it appears verified even when the artifact does not show that verification was actually checked.

RecommendationOnly show 'Security verified' when scanner data was actually retrieved and validated. Otherwise display 'unknown' or 'basic validation only' and encourage manual review.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

config.json

"default_install_commands": { "skills_cli": "npx skills add {package}", "clawhub": "clawhub install {author}/{skill}", "github": "git clone {repo_url} ~/.openclaw/skills/{skill_name}" }

The skill’s core function is to recommend installing third-party skills from multiple ecosystems. This is disclosed and user-directed, but it is inherently supply-chain-sensitive.

User impactInstalling a recommended skill can add new code and instructions to the user’s agent environment.

RecommendationReview the source, author, security scan status, and install command for each recommended skill before installing it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

README.md

- Reads your existing skills to avoid duplicates
- Considers your project context and domain
- Can reference past skill discovery conversations
- Builds knowledge of your preferred ecosystems

The README describes using workspace context and past conversations/preferences. That fits personalized recommendations, but the artifacts do not define retention, scope, or opt-out behavior.

User impactPast recommendations or stored preferences could influence future suggestions, and inaccurate or sensitive context could be reused.

RecommendationUse clear opt-in memory behavior, document what is stored or read, and avoid storing sensitive conversation content unless the user explicitly approves.