jash
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong folder, the packager could include unrelated or private local files in the generated .skill archive.
The bundled helpers create files in user-supplied locations and package every file under the selected skill folder. This is expected for a skill-creation utility, but users should choose clean directories and inspect archives before sharing them.
skill_md_path.write_text(skill_content) ... for file_path in skill_path.rglob('*'): ... zipf.write(file_path, arcname)Run the scripts only on intended skill directories, keep secrets out of skill folders, and review the archive contents before distribution.
Users have less external context for verifying the maintainer, project history, or intended registry identity.
The registry identity and provenance are sparse, and the external registry labels do not clearly match the internal skill name. The artifacts themselves are coherent, so this is a provenance and clarity note rather than evidence of malicious behavior.
Name: jash; Slug: pro; Source: unknown; Homepage: none / SKILL.md: name: skill-creator
If provenance matters, review the included files and owner information before installing, and prefer a source with a clear homepage or repository when available.