agentskills-io
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent and appears benign, but it asks users to run local shell commands and fetch an unpinned validator from GitHub.
This skill looks safe for its stated purpose. Before installing or running commands, review the GitHub validator source or pin it to a trusted version, and check local git diffs after using the version-bump script.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the documented setup may execute code from the current state of the referenced GitHub repository.
The validation workflow fetches and installs a tool directly from a GitHub source without pinning a commit or release. This is central to the skill's purpose and disclosed, but users should be aware of the supply-chain dependency.
uv tool install git+https://github.com/agentskills/agentskills#subdirectory=skills-ref
Prefer pinning the validator to a trusted release or commit, and review the upstream repository before installing permanently.
A user running the script may change version fields across changed plugins and marketplace metadata.
The helper script edits plugin metadata files to bump versions. This is aligned with the documented versioning workflow and does not auto-commit, but it does mutate local project files.
jq --arg version "$new" '.version = $version' "$plugin_json" > "${plugin_json}.tmp"; ... mv "${plugin_json}.tmp" "$plugin_json"Run it only in the intended repository, inspect the resulting git diff, and commit the changes only after review.