Skillcraft
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated skill could run local commands or background processes if the user approves that design.
The skill teaches generated CLI-wrapper skills how to run local commands. This is purpose-aligned for skill construction and includes safety guidance, but local command execution is still a capability users should review per generated skill.
Use `exec` tool. Always set timeouts (hung CLIs block the agent). For long-running commands, use background mode + `process` tool to poll.
Review generated command lists, timeouts, arguments, and affected paths before using or publishing any skill produced with this guide.
A generated monitor skill could keep checking conditions and sending notifications after setup.
The monitor pattern describes scheduled or heartbeat-based behavior for generated monitoring skills. It is disclosed and purpose-aligned, but scheduled agent activity should be intentionally scoped.
Use `cron` tool. See docs: `/automation/cron-jobs`. ### Heartbeat Add check instructions to `<workspace>/HEARTBEAT.md` with a time threshold.
Only enable cron or heartbeat behavior with clear frequency, stopping conditions, notification destination, and state-cleanup guidance.
A generated skill may store state or memory that persists across sessions and affects future behavior.
The skill documents persistent memory and state locations for generated skills. This is expected for OpenClaw integration, but persistent context can influence later tasks if not bounded.
State locations:
- `<workspace>/memory/` — user-facing context
- `{baseDir}/state.json` — skill-internal state (travels with skill)
- `<workspace>/state/<skill>.json` — skill state in common workspace areaFor any generated skill, document what is stored, where it is stored, retention expectations, and how the user can inspect or delete it.
Users have less external provenance information to verify who authored or maintains the skill.
The registry metadata does not provide an external source or homepage for provenance review. The impact is limited because this is an instruction-only skill with no install spec or code files.
Source: unknown Homepage: none
Review the included instructions directly and rely on trusted registry ownership before installing or using it for important skill-building work.