Skillv1.0.0

ClawScan security

SkillMe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 18, 2026, 5:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: SkillMe's stated purpose (searching and installing skills) is plausible, but the runtime instructions assume tools, filesystem paths, and actions that are not declared and carry non-trivial risks (running npx, fetching raw GitHub content, writing into /root paths), so the package contains inconsistencies you should review before installing.
Guidance: This skill's purpose (finding and installing skills) is reasonable, but before installing or using it you should: 1) Ensure your environment has the tools it actually uses (clawhub, node/npm for npx, python3) or understand it will fail; the skill metadata does not list these requirements. 2) Be cautious about running the recommended npx commands (especially with -g -y) — npx can execute arbitrary remote package code. Prefer installing skills from well-known authors and inspect the SKILL.md and repository before adding. 3) Avoid running installs as root or into /root/.openclaw; pick a non-privileged workspace path. 4) When asked to convert or install a skill, manually review the fetched SKILL.md (the convert script fetches raw GitHub URLs) before writing/executing. 5) If you do not want the agent to autonomously install third-party code, disable autonomous invocation for this skill or require explicit user confirmation before performing installs. Overall: OK to use for discovery, but treat installation steps as potentially risky and verify sources and contents before proceeding.

Review Dimensions

Purpose & Capability: concernThe SKILL.md expects and instructs use of external tools (clawhub, npx/skills, python3) and writes to /root/.openclaw paths, but the skill metadata declares no required binaries, env vars, or config path access. This mismatch means the skill assumes privileges and host tooling that are not advertised — a coherence problem the user should be aware of.
Instruction Scope: concernRuntime instructions perform network fetches of arbitrary raw GitHub/skills.sh content and run external installers (npx skills add, clawhub install) and a conversion script that writes SKILL.md into chosen locations. These actions are within the skill's stated purpose (discovering/converting/installing skills) but carry the normal risks of executing or installing third-party code. The instructions default to root-style paths (/root/.openclaw/...), and the recommended npx commands may run untrusted package code (especially with -g -y).
Install Mechanism: noteThere is no install specification (instruction-only), which is lower risk for this wrapper. However, the workflow relies on external installers (clawhub and npx) and a bundled convert_skillssh.py that will fetch remote SKILL.md files and write them to disk. Using npx to add skills is effectively executing remote packages, which is expected for installing third-party skills but increases risk.
Credentials: okThe skill does not request environment variables or credentials, and the conversion script does not attempt to read secrets. Network access to fetch raw GitHub/skills.sh content is required and expected. There are no disproportionate credential requests.
Persistence & Privilege: notealways:false (normal). The instructions assume writing into /root/.openclaw workspace or global skill directories, which implies elevated filesystem access; the skill does not declare these config path requirements. Also, because agent invocation is allowed by default, an agent could run these install commands autonomously — combine that with remote package execution (npx) and you have a larger blast radius if the agent is allowed to act without additional user confirmation.