Back to skill
Skillv1.0.1
ClawScan security
Skill Assessment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 13, 2026, 9:47 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's purpose (evaluating other skills) is sensible, but the runtime instructions reference a CLI tool and user skill paths that are not provided or declared, creating an incoherence between what it says it will do and what it actually supplies.
- Guidance
- This skill describes a useful checker, but it only contains documentation — it does not include the 'skill-assess' CLI or an install step. Before installing or trusting it, confirm whether an external 'skill-assess' tool is expected to be present (and where it comes from), or whether the SKILL.md is intended for a human operator. Also be aware: running an assessor against ~/.openclaw/skills will make the agent read local skill code and metadata, so only run it if you trust the evaluated skills and the implementation of the assessor. If you need to proceed, ask the author for the implementation or for a declared install spec and explicit config-path requirements.
Review Dimensions
- Purpose & Capability
- noteThe name and description match: this is a skill-quality assessor. However, the SKILL.md shows usage of a 'skill-assess' CLI which is not provided by the package, and no required binaries or install step are declared — an implementation mismatch.
- Instruction Scope
- concernThe instructions show commands that operate on local skill directories (e.g., ~/.openclaw/skills/...), which is appropriate for an assessor but the SKILL.md does not declare those config paths. As-written the runtime instructions would cause the agent to read local skill files without explicit config-path declarations.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files. That is low-risk, but also means the skill provides no executable implementation — the agent cannot perform the documented CLI actions unless an external tool already exists.
- Credentials
- noteNo environment variables or credentials are requested, which is proportionate. Minor inconsistency: the SKILL.md references a user config path (~/.openclaw/skills) but the registry metadata does not list any required config paths.
- Persistence & Privilege
- okThe skill does not request always-on presence and uses default invocation settings. There is no indication it would modify other skills or system-wide settings.