Skill Mixer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust this as a complete, tested integration even though the reviewed package does not contain the claimed implementation.
The reviewed package manifest reports only SKILL.md and no code files, so the production-ready source, tests, and implementation claims are not backed by the supplied artifacts.
✅ Source Code ... 9 files, 905 lines of TypeScript ... ✅ PROJECT STATUS: 🟢 PRODUCTION READY ... All code implemented ✓ All tests pass ✓
Do not treat this as production-ready from the provided package alone; require the actual source files, tests, package metadata, and build instructions before deploying or publishing.
If the user obtains or runs a similarly named package elsewhere, that code has not been reviewed as part of this skill.
The documented commands depend on a package, package.json, and source files that are not present in the reviewed artifact set, so following them would rely on unreviewed local or external code.
# Test locally pnpm --filter @openclaw/skillmixer cli -- --mode=once # Publish to ClawHub ... Build: pnpm build
Only run build or CLI commands from a verified repository/package whose contents match the documentation and have been separately reviewed.
A user may not know what account access or permissions a real implementation would need.
Credential use is plausible for ClawHub integration, but no required environment variables, scopes, or account permissions are declared in the reviewed metadata.
Path 2: Deploy & Self-Host ... 3. Configure credentials
Before using any external implementation, confirm the exact credentials required, least-privilege scopes, storage location, and whether the tool can publish or modify ClawHub content.
If a separate implementation is used, it could keep operating on a schedule or in the background.
The document describes possible persistent or recurring execution modes, although no runnable daemon or loop implementation is included in the reviewed package.
✅ Multiple Deployments Cloud/Cron/K8s/Daemon ... Use: runOnce() or runLoop()
Use persistent modes only after reviewing the actual code, limiting permissions, and ensuring there is a clear stop, monitoring, and rollback process.