Skill Manager
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the skill can change which skills are installed and available to the agent.
The skill can direct install, update, and uninstall actions that change the user's installed skills, but the artifact explicitly requires consent before those actions.
Always get consent before install/update/remove
Only approve installs, updates, or removals after reviewing the target skill and confirming the slug is correct.
Installing or updating another skill may introduce code or instructions from the registry into the user's environment.
The skill transparently discloses that its management commands rely on registry-sourced code execution, which is expected for this purpose but still supply-chain relevant.
This skill uses `npx clawhub` commands which download and execute code from ClawHub registry.
Review skill details and provenance before approving any install or update.
The agent may reuse this local inventory to avoid repeated suggestions and to guide future lifecycle management.
The skill stores persistent local memory about installed skills and declined suggestions, including the user's stated reason.
Inventory at `~/skill-manager/inventory.md`... Skills user installed... Skills user explicitly declined
Avoid putting sensitive personal details in declined-skill reasons, and review or delete ~/skill-manager/inventory.md if preferences should be cleared.