Skill Factory
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it says—create, analyze, validate, and package OpenClaw skills—with no evidence of hidden exfiltration or destructive behavior.
This looks safe to install as a local skill-building utility, but treat its outputs as code/configuration: review generated skills, check package contents before publishing, and be aware that the pattern analyzer summarizes installed skill descriptions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can create or modify local skill files that may influence future agent behavior.
The skill instructs the agent/user to run bundled Python helper scripts that create files under the OpenClaw skills workspace. This is central to the stated purpose, but it is still local file mutation that users should understand.
python3 .../scripts/init_skill.py <skill-name> --path ~/.openclaw/workspace/skills/ --resources scripts,references --examples
Use it on intended skill directories only, and review generated SKILL.md and helper files before relying on or publishing them.
If installed skills contain private descriptions or misleading instructions, those snippets may appear in pattern reports and influence newly synthesized skills.
The analysis script scans installed skill directories and extracts descriptions, trigger phrases, tools, and output patterns for reuse in reports and synthesis workflows.
DEFAULT_SCAN_DIRS = ["~/.openclaw/workspace/skills/", "~/.nvm/versions/node/v22.22.0/lib/node_modules/openclaw/skills/"]
Review generated pattern reports before using them as guidance, especially if your installed skills come from untrusted sources.
If a skill folder accidentally contains secrets, temporary files, or unrelated private files, packaging could include them in the archive before publishing.
The packager recursively includes every file inside the chosen skill directory in the .skill archive.
for file_path in skill_path.rglob("*"):
if file_path.is_file():
...
zipf.write(file_path, arcname)Inspect the skill folder and resulting .skill archive before sharing or publishing it.
The skill may fail or behave inconsistently if python3 or PyYAML is unavailable, despite metadata suggesting no requirements.
The registry metadata does not declare runtime requirements, while the artifacts include Python scripts and quick_validate.py imports yaml.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill ... Code file presence: scripts/analyze_patterns.py, scripts/init_skill.py, scripts/package_skill.py, scripts/quick_validate.py
Confirm python3 and required Python modules are available before using the helper scripts.