jash
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: pro Version: 1.0.0 This skill bundle is designed to guide an AI agent in creating and packaging other OpenClaw skills. The `SKILL.md` provides detailed instructions for this process, including the use of local Python scripts (`scripts/init_skill.py` and `scripts/package_skill.py`). These scripts perform file system operations (creating directories, writing template files, zipping skill bundles) that are entirely consistent with the skill's stated purpose. Notably, `scripts/quick_validate.py` acts as a security control, enforcing proper `SKILL.md` frontmatter format and preventing potentially harmful characters like angle brackets in the description, which mitigates prompt injection risks. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection with harmful objectives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong folder, the packager could include unrelated or private local files in the generated .skill archive.
The bundled helpers create files in user-supplied locations and package every file under the selected skill folder. This is expected for a skill-creation utility, but users should choose clean directories and inspect archives before sharing them.
skill_md_path.write_text(skill_content) ... for file_path in skill_path.rglob('*'): ... zipf.write(file_path, arcname)Run the scripts only on intended skill directories, keep secrets out of skill folders, and review the archive contents before distribution.
Users have less external context for verifying the maintainer, project history, or intended registry identity.
The registry identity and provenance are sparse, and the external registry labels do not clearly match the internal skill name. The artifacts themselves are coherent, so this is a provenance and clarity note rather than evidence of malicious behavior.
Name: jash; Slug: pro; Source: unknown; Homepage: none / SKILL.md: name: skill-creator
If provenance matters, review the included files and owner information before installing, and prefer a source with a clear homepage or repository when available.