Skillcraft
PassAudited by ClawScan on May 1, 2026.
Overview
Skillcraft is a coherent instruction-only guide for building OpenClaw skills, with no installed code, but users should review any generated scripts, scheduled jobs, memory use, or messaging integrations before applying them.
This skill appears safe to install as an instruction-only OpenClaw skill-building guide. Before using any skill it generates, review the proposed files, scripts, command execution, cron or heartbeat behavior, message destinations, secrets handling, and memory/state locations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated skill could run local commands or background processes if the user approves that design.
The skill teaches generated CLI-wrapper skills how to run local commands. This is purpose-aligned for skill construction and includes safety guidance, but local command execution is still a capability users should review per generated skill.
Use `exec` tool. Always set timeouts (hung CLIs block the agent). For long-running commands, use background mode + `process` tool to poll.
Review generated command lists, timeouts, arguments, and affected paths before using or publishing any skill produced with this guide.
A generated monitor skill could keep checking conditions and sending notifications after setup.
The monitor pattern describes scheduled or heartbeat-based behavior for generated monitoring skills. It is disclosed and purpose-aligned, but scheduled agent activity should be intentionally scoped.
Use `cron` tool. See docs: `/automation/cron-jobs`. ### Heartbeat Add check instructions to `<workspace>/HEARTBEAT.md` with a time threshold.
Only enable cron or heartbeat behavior with clear frequency, stopping conditions, notification destination, and state-cleanup guidance.
A generated skill may store state or memory that persists across sessions and affects future behavior.
The skill documents persistent memory and state locations for generated skills. This is expected for OpenClaw integration, but persistent context can influence later tasks if not bounded.
State locations:
- `<workspace>/memory/` — user-facing context
- `{baseDir}/state.json` — skill-internal state (travels with skill)
- `<workspace>/state/<skill>.json` — skill state in common workspace areaFor any generated skill, document what is stored, where it is stored, retention expectations, and how the user can inspect or delete it.
Users have less external provenance information to verify who authored or maintains the skill.
The registry metadata does not provide an external source or homepage for provenance review. The impact is limited because this is an instruction-only skill with no install spec or code files.
Source: unknown Homepage: none
Review the included instructions directly and rely on trusted registry ownership before installing or using it for important skill-building work.