Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Manager
v1.0.0Manages skill distribution and visibility across AI agents using a two-layer, two-dimension Universal Skill Manager with syncing and scope control.
⭐ 0· 77·0 current·0 all-time
byHulk@hulk-yin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (manage distribution and visibility of skills) aligns with the provided scripts and documentation: the code implements a hub + agent directories model and symlink-based distribution. Requesting no network credentials and no external binaries is consistent with a purely local filesystem manager.
Instruction Scope
SKILL.md instructs the agent/operator to run included scripts (sync_skills.sh, migrate_to_hub.sh) and to edit meta.yaml files. Those instructions entail reading and modifying many user-home directories (e.g., ~/.skills, ~/.claude/skills, ~/.cursor/skills, ~/.openclaw/skills) and writing/removing files and symlinks. The provisioning guidance defaults to making skills 'universal' when uncertain, which increases scope/visibility automatically. The instructions do not require explicit user confirmation before destructive operations (the scripts have a --dry-run flag but SKILL.md emphasizes 'MUST run' without mandating dry-run/confirmation).
Install Mechanism
There is no install spec or external downloads (lower supply-chain risk). However, this is not a pure documentation-only skill: it bundles two multi-thousand-byte shell scripts that will be executed against user directories. That increases risk relative to an instruction-only skill because these scripts can move, delete, and generate files on disk.
Credentials
The skill declares no required env vars or config paths, but the scripts implicitly require and modify configuration under $HOME (e.g., ~/.skills/, ~/.skills/agents.yaml, per-agent skill dirs). The implicit requirement to access and mutate multiple agent directories is not surfaced in requires.* metadata—this mismatch is noteworthy because the skill will act across the user's home tree without upfront declared scope.
Persistence & Privilege
The skill is not 'always: true' and does not request credentials. Still, it modifies global/local skill state (creating symlinks, moving directories, generating meta.yaml). Those are persistent changes to the filesystem and agent environments; they are legitimate for this manager but warrant explicit user consent and backups before execution.
What to consider before installing
This skill appears to implement what it claims, but it performs powerful filesystem operations that can move, overwrite, or remove skill directories and will by default make new/uncertain skills 'universal' (visible to all agents). Before installing or running it: 1) Inspect the two scripts (migrate_to_hub.sh and sync_skills.sh) yourself to confirm you understand what will change. 2) Run operations in --dry-run mode first (both scripts support it) and verify the reported actions. 3) Back up your ~/.skills and any agent skill directories. 4) Ensure ~/.skills/agents.yaml exists and is correct (the sync script will exit if missing). 5) Avoid running migrate_to_hub.sh without review—it uses mv, rm -rf and can delete or relocate directories. 6) Do not rely on the 'default to universal' rule if you want limited visibility—explicitly set scopes in meta.yaml. 7) Run these scripts as your normal (non-root) user and avoid automated/unreviewed autonomous invocation until you’ve validated behavior. If you are uncomfortable with the scripts manipulating home directories, consider a manual, incremental approach (create a test hub and test agent dirs) or decline installation.Like a lobster shell, security has layers — review code before you run it.
latestvk971v2p65j0az95c8cssm050an83f330
License
MIT-0
Free to use, modify, and redistribute. No attribution required.