agentskills-io
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agentskills-io Version: 2.5.0 The skill bundle instructs the AI agent and users to download and execute code from a remote Git repository (github.com/agentskills/agentskills) using `uvx` or `uv tool install`. This occurs in `SKILL.md` for installation and one-shot validation, and in `scripts/validate-skills-repo.sh` for batch validation. While the remote code is the official `skills-ref` validator and the intent is to validate skills, fetching and executing external code introduces a supply chain risk, classifying this as a risky capability without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the documented setup may execute code from the current state of the referenced GitHub repository.
The validation workflow fetches and installs a tool directly from a GitHub source without pinning a commit or release. This is central to the skill's purpose and disclosed, but users should be aware of the supply-chain dependency.
uv tool install git+https://github.com/agentskills/agentskills#subdirectory=skills-ref
Prefer pinning the validator to a trusted release or commit, and review the upstream repository before installing permanently.
A user running the script may change version fields across changed plugins and marketplace metadata.
The helper script edits plugin metadata files to bump versions. This is aligned with the documented versioning workflow and does not auto-commit, but it does mutate local project files.
jq --arg version "$new" '.version = $version' "$plugin_json" > "${plugin_json}.tmp"; ... mv "${plugin_json}.tmp" "$plugin_json"Run it only in the intended repository, inspect the resulting git diff, and commit the changes only after review.