Skill Vetter (by Azhua)
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If followed, the agent may fetch repository metadata or skill files from GitHub for review.
Why it was flagged
The skill documents shell commands that make network requests to GitHub. They are examples for the stated vetting purpose, not hidden or automatic execution, but users should verify targets before running them.
Skill content
For GitHub-hosted skills: ```bash curl -s "https://api.github.com/repos/OWNER/REPO" | jq ... curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md" ```
Recommendation
Use these commands only with trusted, user-confirmed owner/repo values and treat any fetched skill content as untrusted evidence.