Skill Creator
Security checks across malware telemetry and agentic risk
Overview
This is a coherent skill-authoring helper with user-directed local file and packaging actions, and the artifacts show no hidden network, credential, or destructive behavior.
Install if you want a helper for creating and packaging AgentSkills. Run its scripts only on intended directories, review generated or modified skills before enabling them, and avoid placing secrets or private files inside skill folders that may be packaged.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the helper scripts can create skill directories and package files on the local filesystem.
The skill instructs the user or agent to run bundled local helper scripts. This is central to creating and packaging skills, but it still means local code will create or modify files.
Run the init script: ```bash scripts/init_skill.py <skill-name> --path <output-directory> [--resources scripts,references,assets] ```
Run the scripts only in directories you control, with paths you intended to use, and review the generated skill before installing it.
If a user leaves secrets, private notes, or unintended files inside a skill folder, they may be bundled into the .skill package.
The packager walks the skill directory and archives regular files under it. This is expected for packaging, and the script includes symlink and path-containment checks, but files placed inside the skill folder may be included.
for file_path in skill_path.rglob("*"):
...
zipf.write(file_path, arcname)Keep credentials and private files out of skill directories, and inspect package contents before distributing a generated .skill file.
A generated skill could persist data across runs if the user chooses to include this pattern.
The skill teaches authors how to add persistent memory to other skills. This is an advanced, disclosed design pattern, not hidden behavior in this skill, but generated memory-enabled skills need clear scope and retention rules.
Skills can include memory by storing data within them: ... This skill stores data in `~/.my-skill/data.json`.
Only add memory to generated skills when needed, document what is stored, where it is stored, and when it should be deleted.
Users have less external context about the publisher or upstream source of the helper scripts.
The registry metadata provides limited provenance for a skill that includes executable helper scripts. The scripts are present in the artifacts and appear purpose-aligned, so this is a provenance notice rather than a concern.
Source: unknown Homepage: none
Review the included scripts before use and prefer installing from publishers or repositories you trust.