Skill Mixer
v1.0.0Processes and auto-categorizes 150 skills into 12 composite master skills with ClawHub integration and multiple deployment options.
⭐ 3· 1.6k·1 current·1 all-time
by@grxkun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The runtime instructions describe a 26-file TypeScript project (source files, adapters, build steps, deployment guides) and recommend building and uploading to clawhub.ai, but the registry entry contains only SKILL.md and no code files, package.json, or homepage. The declared metadata contains no description or repository link. A user expecting a packaged SkillMixer project would legitimately need the listed source and packaging files — their absence is an incoherence.
Instruction Scope
SKILL.md instructs the operator/agent to read many local docs (START_HERE.md, CLAWHUB_PUBLISH_GUIDE.md, etc.), run pnpm build or pnpm --filter ... cli, and "configure credentials" for deployment. None of those files exist in the bundle and no specific credential names or endpoints are declared. The instructions are actionable (run build/upload, configure credentials) but refer to artifacts and secrets that are not provided nor enumerated, which could prompt the agent or user to fetch external content or reveal credentials.
Install Mechanism
There is no install spec and no code files — from an installation-risk perspective this is lower risk because nothing is written or executed by the skill itself. However, the SKILL.md expects a project build and external tooling (pnpm) that would execute if the user follows the instructions; the lack of a package means a user might be encouraged to fetch or run unknown code from elsewhere, which shifts the risk to out-of-band actions.
Credentials
The registry lists no required environment variables or primary credential, yet the instructions tell users to "Configure credentials" for cloud/K8s/ClawHub deployment without specifying what credentials are needed. This omission is disproportionate: a deployable ClawHub adapter would normally declare which API keys or tokens it needs. The vagueness raises the risk the user or agent may be asked to supply unrelated secrets later.
Persistence & Privilege
The skill does not request always:true, does not ship code or install hooks, and does not declare any config-path or system modifications. Autonomous model invocation is allowed by default (normal) but is not combined here with any declared broad privileges.
What to consider before installing
Do not follow the build/upload commands or supply credentials until the package contents and origin are clarified. The SKILL.md claims many source files and docs that are not present in the registry entry — this could be an accidental incomplete publish or an attempt to get you to fetch/run external code or reveal secrets. Ask the publisher for: (1) a link to the authoritative repository or release, (2) the missing files (package.json, source, docs), and (3) an explicit list of any required environment variables and endpoints. If you decide to run build/upload steps later, first inspect the full repository locally, review package.json and all code, and run builds inside an isolated VM or container. If you already provided credentials after following these instructions, rotate them and audit any activity.Like a lobster shell, security has layers — review code before you run it.
first-vervk975zzmashr6a8kcqd511dssjn80fvwelatestvk975zzmashr6a8kcqd511dssjn80fvwe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.