ClawHub

skill-craft

v1.0.1

Create, optimize, or update AgentSkills with evidence-based design. Two modes: (1) CREATE — build new skills from scratch with proven design patterns. (2) OP...

0· 41·0 current·0 all-time
by@leonardo-lb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contents. The shipped Python scripts (init, package, quick_validate) and the references are appropriate for a 'skill authoring/optimization' meta-skill — they create templates, validate SKILL.md, and package skill folders, which a skill-authoring tool legitimately needs.
Instruction Scope
SKILL.md contains detailed runtime guidance that intentionally instructs reading/writing files, creating scripts/resources, running validation and packaging scripts, and using filesystem-based state patterns. This is expected for a skill-authoring tool, but it means the agent will be instructed to manipulate the local workspace and may execute scripts if invoked — review any generated or bundled scripts before running them.
Install Mechanism
No install spec or external downloads. The skill is instruction-first and ships local Python scripts; nothing fetches arbitrary code from external URLs. This is low-risk compared with remote-download installers.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The capability to create files/directories and set executability (chmod) is appropriate for a tool that scaffolds and packages skills.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill manipulates files within skill directories (creating templates, packaging .skill zip), but it does not request system-wide persistence or modify other skills' configs. No elevated platform privileges are asserted.
Assessment
This skill is a coherent meta-tool for creating and optimizing other skills and appears to do what it says. Before using it: (1) inspect the bundled scripts (scripts/init_skill.py, package_skill.py, quick_validate.py) before running them and run them in a sandbox or a non-sensitive directory, because they create files, directories, and may mark scripts executable; (2) avoid running any script as root or in system directories to prevent accidental overwrites; (3) if you plan to let an agent autonomously invoke this skill, be aware it will have instructions to read and write workspace files — grant it only to directories you trust; (4) note quick_validate enforces a specific SKILL.md frontmatter schema (allowed keys: name, description, license, allowed-tools, metadata) which may reject other frontmatter fields used by some ecosystems. If you need higher assurance, run the scripts locally in a controlled environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk974p2zwrmcy3pq675s9wh61eh84w6ed

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments