Skillv2.0.3

ClawScan security

skillnet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 27, 2026, 8:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent with its stated purpose (search/create/evaluate skills) but has several small inconsistencies and some install/network choices (unknown PyPI package, non-obvious API host, optional mirror) that warrant user caution before installing or providing keys.
Guidance: This skill appears to implement what it says, but proceed cautiously: - Verify the 'skillnet-ai' package before installing: check its PyPI page and source repository to confirm the maintainer and review the code. Installing arbitrary PyPI packages can execute code on your machine. - Confirm the API host(s) you'll interact with: the documentation lists api-skillnet.openkg.cn as the public search API and lets you set BASE_URL for your LLM endpoint. If you will send skill or document content to an LLM, prefer a local BASE_URL (e.g., a local vLLM) for sensitive data. - Do not provide long‑lived or highly privileged credentials without understanding scope. API_KEY is required for create/evaluate/analyze; the SKILL.md instructs one‑shot injection but double‑check you’re not exporting keys to persistent files. - Be cautious about using any 'mirror' option for GitHub downloads — a mirror could route content through an untrusted server. Prefer direct GitHub API downloads and review files locally before loading them into the agent context. - There is a small metadata inconsistency: the registry lists no required env vars while the skill requires API_KEY; confirm this before running commands that prompt for keys. - Inspect the included scripts (scripts/skillnet_create.py and skillnet_validate.py) — they appear benign and offline, but the actual network behavior depends on the 'skillnet-ai' package which the scripts import. Only run commands after you’ve reviewed the package and confirmed you trust the endpoints. If you are comfortable verifying the package origin and using one‑time API key injection (or a local LLM), the skill is reasonable. If you cannot verify the upstream package or you must handle sensitive documents, decline to install or use a local BASE_URL and review all generated files before executing anything.

Review Dimensions

Purpose & Capability: okName, description, CLI patterns, and included scripts align: the skill is for searching/downloading/creating/evaluating skills and the code and docs implement that. Requiring an API_KEY as the primary credential is appropriate for create/evaluate/analyze operations. The included Python scripts and CLI install suggestions are proportional to the declared functionality.
Instruction Scope: noteSKILL.md instructs the agent to search (no key), download only GitHub repos, require explicit user confirmation before downloading/loading/executing, and to never auto-run downloaded scripts — these are good restrictions. It writes artifacts to ~/.openclaw/workspace/skills and instructs what to show users for review. No instructions attempt to read unrelated system secrets or auto-exfiltrate data. Note: SKILL.md references openclaw.json and other local config locations as possible configured credentials (documented transparency), so you should verify what local config it may read in your environment.
Install Mechanism: concernThe registry shows 'no install spec' but the SKILL.md frontmatter contains install commands recommending 'pipx install skillnet-ai' or 'pip install skillnet-ai'. Installing a third‑party package from PyPI is a typical but higher‑risk install path because the package source and contents must be verified. Additionally, the client supports an optional 'mirror' (e.g. ghfast.top) for downloads — using a non-official mirror could redirect downloads through an untrusted host. No direct binary downloads or extract-from-URL patterns are present in the skill files, which reduces risk, but you should verify the 'skillnet-ai' package origin on PyPI/GitHub before running installs.
Credentials: concernThe primary credential declared is API_KEY and the docs consistently require API_KEY for create/evaluate/analyze; that is proportional. However, registry metadata lists 'Required env vars: none' while frontmatter and code clearly expect an API_KEY (primaryEnv). This metadata mismatch is confusing and should be resolved before installing. Optional env vars (BASE_URL, GITHUB_TOKEN, SKILLNET_MODEL, GITHUB_MIRROR) are reasonable for the described features but are privileges you should consider carefully (particularly BASE_URL and GITHUB_TOKEN for private repo access).
Persistence & Privilege: okThe skill does not request 'always: true' and does not claim persistent background processes. It writes created/downloaded skills to a local workspace path (~/.openclaw/workspace/skills), which is expected. It does not attempt to modify other skills or system-wide settings in the included files.