Universal Skills Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate skills manager, but it can change persistent skills across many AI tools from remote sources while its registry declarations understate its tools, network, credential, and invocation needs.
Review this carefully before installing. It is not shown to be malicious, but it is a high-authority package manager for AI skills. Use project-level installs where possible, approve every source and destination explicitly, review downloaded skills before enabling them, avoid embedding API keys in ZIPs, and verify the registry metadata is corrected before trusting autonomous use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unsafe install/sync action could change how multiple AI tools behave in future sessions.
This gives the agent broad authority to mutate installed skills and agent behavior across many tools and scopes. That is purpose-aligned, but high-impact and should be tightly confirmed and bounded.
manages installation, and synchronization across Claude Code, Gemini CLI, Google Anti-Gravity, OpenCode, and other AI tools. Handles User-level (Global) and Project-level (Local) scopes.
Use only with explicit user approval for each source, destination, and scope; prefer project scope; require dry-run/diff output and backups before modifying global skill directories.
Users may install it without seeing that it needs local command execution, network access, and optional credential handling.
The registry under-declares requirements that SKILL.md itself lists, including python3, curl, network access, and SKILLSMP_API_KEY. For a skill manager that installs other skills, this reduces user visibility into dependencies and authority.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Update registry metadata to declare required binaries, network domains, optional credentials, and capability tags; do not rely only on SKILL.md text for these security-relevant requirements.
A remote repository or branch could change after search results are produced, causing different skill content to be installed.
The installer downloads skill files directly from GitHub branches/raw URLs. That is expected for this skill's purpose, but mutable remote sources are a supply-chain risk unless users review and trust them.
return f"https://raw.githubusercontent.com/{owner}/{repo}/{branch}/{encoded_path}/{encoded_filename}"Prefer pinned commit URLs or signed releases, show the exact source and commit before install, and let users review downloaded SKILL.md and scripts before activation.
One unsafe skill installation could spread across several AI tools and affect multiple future workflows.
Cross-tool synchronization can propagate a bad, incompatible, or malicious skill from one agent environment into others.
Wants to sync skills between different AI tools (e.g., "Copy this Gemini skill to OpenCode").
Require explicit confirmation before every cross-tool sync, scan each skill before copying, and keep an audit log of source and destination paths.
If configured, the agent may use a provider API key while searching or packaging skills.
The skill documents use of an API key for SkillsMP. This is expected for the integration, but it is not reflected in the registry credential declarations.
primaryEnv: SKILLSMP_API_KEY
Use a least-privilege key, keep it in environment/config where possible, avoid embedding it in ZIPs, and rotate it if a packaged skill is shared.
Running the command executes remote code on the user's machine.
This is a user-directed setup workaround, not evidence of automatic execution, but piping a remote script into a shell is a sensitive install pattern.
curl -fsSL https://raw.githubusercontent.com/jacob-bd/universal-skills-manager/main/install.sh | sh -s -- --tools claude
Download and inspect the script first, verify the repository and commit, and avoid piping remote code directly into a shell.