jash
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a benign skill-building guide with local helper scripts; users should verify the sparse provenance and avoid packaging private files.
This skill is reasonable to install for help creating skills. Before running its helper scripts, use a dedicated clean skill folder, keep secrets out of that folder, inspect any .skill archive before sharing, and note that the registry source/homepage information is limited.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong folder, the packager could include unrelated or private local files in the generated .skill archive.
The bundled helpers create files in user-supplied locations and package every file under the selected skill folder. This is expected for a skill-creation utility, but users should choose clean directories and inspect archives before sharing them.
skill_md_path.write_text(skill_content) ... for file_path in skill_path.rglob('*'): ... zipf.write(file_path, arcname)Run the scripts only on intended skill directories, keep secrets out of skill folders, and review the archive contents before distribution.
Users have less external context for verifying the maintainer, project history, or intended registry identity.
The registry identity and provenance are sparse, and the external registry labels do not clearly match the internal skill name. The artifacts themselves are coherent, so this is a provenance and clarity note rather than evidence of malicious behavior.
Name: jash; Slug: pro; Source: unknown; Homepage: none / SKILL.md: name: skill-creator
If provenance matters, review the included files and owner information before installing, and prefer a source with a clear homepage or repository when available.