LeiAlexZhang/local-skill-installer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a straightforward instruction-only installer for user-provided local skill ZIPs, but installing a skill changes the agent environment so the ZIP should be trusted first.
This skill appears coherent and benign for installing a local OpenClaw skill. Before using it, make sure the ZIP is from a source you trust, review its SKILL.md, and confirm the destination path because the installed skill can persist and influence future agent behavior.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user-approved ZIP can be installed into the active skills area, affecting what the agent may do in future sessions.
This directs the agent to mutate the active skill installation. That is expected for a local skill installer, but users should recognize it changes the agent's available behavior.
Move the extracted skill folder into the Skills directory.
Only use this when you intentionally want to install the local ZIP, and review the final path and package contents before trusting the installed skill.
If the selected ZIP contains an unsafe or misleading skill, this installer could place it where OpenClaw can use it later.
The documented validation checks that the ZIP has the expected skill structure, but it does not establish that the local ZIP came from a trusted source or that its instructions are safe.
Validate that it looks like an OpenClaw skill: - must contain `SKILL.md`
Install only ZIPs from trusted sources, inspect the included SKILL.md and metadata first, and consider scanning or reviewing the skill before loading it.