ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agentskills-io

v2.5.0

Create, validate, and publish Agent Skills following the official open standard from agentskills.io. Use when (1) creating new skills for AI agents, (2) validating skill structure and metadata, (3) understanding the Agent Skills specification, (4) converting existing documentation into portable skills, or (5) ensuring cross-platform compatibility with Claude Code, Cursor, GitHub Copilot, and other tools.

2· 2.2k·9 current·9 all-time
byVaskin Kissoyan@killerapp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the files and instructions: the SKILL.md teaches how to author and validate skills and references a validator repo. The two provided scripts (validate & bump) are reasonable for a skills repo toolset. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions direct use of the agentskills validator (via uv/uvx) and the included shell scripts (validate-skills-repo.sh, bump-changed-plugins.sh). Those actions are consistent with the stated purpose, but the instructions do tell the user/agent to run shell scripts and to create symlinks (ln -s). Running the scripts could modify files or perform git operations — the SKILL.md does not show their contents, so inspect them before execution.
Install Mechanism
No install spec is bundled with the skill; SKILL.md suggests installing the validator from its GitHub repo using uv or uvx (git+https URL). This is a standard, traceable approach and not an arbitrary binary download or obscure URL.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. That is proportional for a documentation/validation tool. The SKILL.md does not ask for unrelated secrets.
Persistence & Privilege
The skill does not set always:true and has no explicit install that grants persistent privileges. Model invocation flags are left at defaults (disable-model-invocation not set), so the skill could be invoked by the agent if platform policy allows — this is typical for utility skills but worth knowing.
Assessment
This skill appears to do what it says: authoring/validating Agent Skills. Before you run anything: (1) review the two shell scripts (scripts/validate-skills-repo.sh and scripts/bump-changed-plugins.sh) to confirm they only validate or update local metadata (and do not, for example, push commits or exfiltrate data), (2) verify the referenced validator repository (https://github.com/agentskills/agentskills) is the expected upstream, and (3) run validation steps in a sandbox or non-critical clone of your repo. If you are uncomfortable with model-initiated runs, check your platform's skill invocation settings because disable-model-invocation is not set by this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f4gxwk46ev1dkkxx2gpya3580mz3t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments