Skill Mixer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: skill-mixer Version: 1.0.0 The provided `_meta.json` and `SKILL.md` files contain standard metadata and documentation for a skill bundle. The `SKILL.md` serves as a comprehensive guide for a human user, detailing the skill's purpose, features, and steps for local testing, building, and publishing to ClawHub. There are no instructions within `SKILL.md` that attempt prompt injection against an AI agent, nor any commands or directives that suggest malicious intent, data exfiltration, or unauthorized actions. The commands mentioned (e.g., `pnpm cli`, `pnpm build`) are standard development operations, and the instructions are clearly directed at the user for managing the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust this as a complete, tested integration even though the reviewed package does not contain the claimed implementation.
The reviewed package manifest reports only SKILL.md and no code files, so the production-ready source, tests, and implementation claims are not backed by the supplied artifacts.
✅ Source Code ... 9 files, 905 lines of TypeScript ... ✅ PROJECT STATUS: 🟢 PRODUCTION READY ... All code implemented ✓ All tests pass ✓
Do not treat this as production-ready from the provided package alone; require the actual source files, tests, package metadata, and build instructions before deploying or publishing.
If the user obtains or runs a similarly named package elsewhere, that code has not been reviewed as part of this skill.
The documented commands depend on a package, package.json, and source files that are not present in the reviewed artifact set, so following them would rely on unreviewed local or external code.
# Test locally pnpm --filter @openclaw/skillmixer cli -- --mode=once # Publish to ClawHub ... Build: pnpm build
Only run build or CLI commands from a verified repository/package whose contents match the documentation and have been separately reviewed.
A user may not know what account access or permissions a real implementation would need.
Credential use is plausible for ClawHub integration, but no required environment variables, scopes, or account permissions are declared in the reviewed metadata.
Path 2: Deploy & Self-Host ... 3. Configure credentials
Before using any external implementation, confirm the exact credentials required, least-privilege scopes, storage location, and whether the tool can publish or modify ClawHub content.
If a separate implementation is used, it could keep operating on a schedule or in the background.
The document describes possible persistent or recurring execution modes, although no runnable daemon or loop implementation is included in the reviewed package.
✅ Multiple Deployments Cloud/Cron/K8s/Daemon ... Use: runOnce() or runLoop()
Use persistent modes only after reviewing the actual code, limiting permissions, and ensuring there is a clear stop, monitoring, and rollback process.