Skill Forge

WarnAudited by ClawScan on May 10, 2026.

Overview

Skill Forge is mostly aligned with skill generation, but it can modify the local skill library and publish generated skills publicly with limited credential and approval boundaries.

Install only if you are comfortable with a skill that can scan and modify your local OpenClaw skills and potentially publish generated skills. Before using publish or deploy features, review generated SKILL.md, agent-config.json, and scripts, confirm the target account and visibility, and avoid feeding untrusted text into generation without manual review.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

A generated or modified skill could be published to the user's ClawHub account publicly before the user has reviewed the exact contents.

Why it was flagged

The code can publish a generated skill through the ClawHub CLI while suppressing confirmation with -y. Public publishing is purpose-aligned, but it is high-impact and the artifact does not show a final preview, approval, or visibility safeguard.

Skill content

result = run(["clawhub", "publish", "-y"], cwd=skill_dir, capture_output=True, text=True)

Recommendation

Make publishing dry-run by default, remove automatic -y confirmation, show the final files and visibility setting, and require explicit user approval immediately before publishing.

Medium

#ASI03: Identity and Privilege Abuse

What this means

The skill may act with the user's publishing authority without a clearly declared credential boundary or account scope.

Why it was flagged

Publishing through the ClawHub CLI likely uses the user's local ClawHub session or credentials, while the registry metadata declares no primary credential and no required environment variables.

Skill content

result = run(["clawhub", "publish", "-y"], cwd=skill_dir, capture_output=True, text=True)

Recommendation

Declare the ClawHub credential/account requirement, document which account permissions are used, and require the user to confirm the target account and publication scope.

Medium

#ASI06: Memory and Context Poisoning

What this means

Untrusted or malformed input could become persistent SKILL.md content that future agents may load and trust as instructions.

Why it was flagged

The script writes persistent skill instructions into the local skills directory using user-provided descriptions and source skill names, with no visible sanitization or escaping.

Skill content

with open(os.path.join(path, "SKILL.md"), "w") as f:
        f.write(generate_skill_md(safe_name, desc, sources))

Recommendation

Validate and escape user-provided text before writing SKILL.md, prevent instruction-like payloads from becoming authoritative, and show a diff for approval before saving generated skills.

Medium

#ASI08: Cascading Failures

What this means

A mistake in generated content can spread into Agent configuration and public publication workflows, increasing the blast radius beyond one local file.

Why it was flagged

Generated Agent configs default to public publishing metadata, so a bad generated skill or poisoned input can propagate from local generation into a deployable/public artifact.

Skill content

"deploy": {
            "platform": "clawhub",
            "config": {
                "publish": True,
                "visibility": "public",
                "pricing": "free"
            }
        }

Recommendation

Default generated deployment settings to private/draft, require explicit promotion to public, and add validation plus rollback instructions.