Skillv1.0.0

ClawScan security

Skill Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 12:08 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested resources align with its stated purpose (creating, evaluating, packaging, and analyzing OpenClaw skills); it operates locally on your skills workspace and does not request unrelated credentials or network exfiltration.
Guidance: This skill appears to do what it says: scaffold skills, validate frontmatter, scan installed skill SKILL.md files to synthesize patterns, and package skill folders. Before running: 1) Inspect the bundled scripts (they are included) to confirm behavior (they are plain Python). 2) Be aware analyze_patterns.py will read SKILL.md and related files under your skills directories (defaults include ~/.openclaw/workspace/skills and an openclaw path under ~/.nvm); avoid running it against directories that contain secrets you don't want aggregated. 3) When using init_skill or package_skill, pass explicit paths rather than relying on example find commands so you control what gets created or packaged. 4) If you plan to run these tools in an automated or shared environment, run them in a sandbox first to verify outputs. Overall the package is internally consistent and does not ask for extra credentials or perform unexpected network calls.

Review Dimensions

Purpose & Capability: okName/description (create/evaluate/package/analyze skills) match the included scripts and files: init_skill.py (scaffold), analyze_patterns.py (scan/analyze installed skills), package_skill.py (zip .skill), quick_validate.py (frontmatter checks). The default scan paths and helper commands relate to managing OpenClaw skills and are expected for this meta-skill.
Instruction Scope: okSKILL.md instructions direct the agent/operator to run the bundled Python scripts and to read SKILL.md files in the user's skills directories; that is coherent with analyzing and synthesizing skill patterns. The workflow does not instruct reading arbitrary unrelated system files or sending data to external endpoints. Note: some example commands use find across ~/.nvm and call the openclaw CLI to locate skill paths — these will examine files under those directories (expected for pattern analysis).
Install Mechanism: okThere is no install spec; this is an instruction-only skill with bundled helper scripts. No remote downloads or archive extraction are performed by an installer. Running the scripts executes local Python code included in the bundle.
Credentials: noteThe skill requests no environment variables or credentials. However, analyze_patterns.py and the examples scan user skill directories (default: ~/.openclaw/workspace/skills and an openclaw path under ~/.nvm). That means the tool will read many local SKILL.md and related files under those locations — expected for its purpose, but you should ensure those directories do not contain sensitive secrets you don't want aggregated into reports or stdout.
Persistence & Privilege: okalways:false and there is no code that modifies other skills' configurations or global agent settings. init_skill.py will create new skill directories when invoked (normal scaffolding behavior). package_skill.py writes .skill archives of specified folders — all actions are local and scoped to user-specified paths.