ClawHub

Skill Quick Index

v1.0.1

Build a wide-trigger, precise-match index for local OpenClaw skills (L1-L3), then quickly route by intent/category/keywords.

0· 383·2 current·3 all-time
by@halfmoon82
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the provided artifacts: an index JSON and a lookup script for routing skills. However the SKILL.md and README state the skill 'scans local skills in ~/.openclaw/workspace/skills/*/SKILL.md' and 'builds' an index — there is no code here that scans that path or constructs the index; the package instead ships a static index/skill_index.json. This mismatch is likely poor documentation or an omitted builder, not necessarily malicious, but it's an unexplained discrepancy.
!
Instruction Scope
SKILL.md instructs scanning user skill files under ~/.openclaw/workspace/skills/*/SKILL.md, which would require reading user files, but the runtime script (scripts/skill_lookup.py) only loads the packaged index/skill_index.json and does not access that path. The instructions therefore overstate the script's behavior and imply filesystem access that is not declared. This is scope creep / documentation mismatch that should be clarified.
Install Mechanism
No install spec, no downloads, and included code is local. The lookup tool is a simple Python script with no external dependencies and no network or subprocess usage — low install risk.
Credentials
The skill declares no required environment variables, credentials, or config paths. The included code only reads a local JSON file and prints results. No secrets or external credentials are requested or used.
Persistence & Privilege
The skill is not forced always-on and does not request persistent/system-wide changes. It is user-invocable only; no autonomous/always-true privileges are claimed.
What to consider before installing
This package appears to be a local, read-only lookup tool (scripts/skill_lookup.py) operating on a shipped index (index/skill_index.json). However, the documentation claims the skill 'scans local skills' and 'builds' an index — those behaviors are not implemented in the included script. Before installing or relying on it: (1) confirm whether you need an index builder (the supplied index is static and may be stale); (2) if you expect automatic scanning of ~/.openclaw/workspace, ask the author for the scanner code or review any additional scripts — scanning user directories would read your local skill files and needs explicit consent; (3) inspect the shipped index JSON for any sensitive references you don't want shared; and (4) if you plan to run or extend it, consider running the Python script in a restricted environment (no network access) and review any future changes for network calls or subprocess execution. The inconsistency looks like poor documentation rather than active malicious behavior, but clarification from the author is recommended.

Like a lobster shell, security has layers — review code before you run it.

latestvk970seb98pezdf7x4hgr8zqyf182053rroutingvk970seb98pezdf7x4hgr8zqyf182053rskillsvk970seb98pezdf7x4hgr8zqyf182053r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments