Back to skill
Skillv1.0.0
ClawScan security
agent-builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 3:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only template for designing OpenClaw agent workspaces and its declared requirements and behavior are consistent with that purpose.
- Guidance
- This skill is a template/instruction pack for creating OpenClaw agent workspaces and appears internally consistent. Before installing or using: (1) review generated workspace files for any links or third-party integrations you don’t want enabled; (2) never place secrets or API keys in the workspace files (README and references explicitly warn against it); (3) if you plan to connect the agent to external services (the references mention a 'SkillBoss API Hub' endpoint), verify those integrations and required credentials separately; (4) when enabling autonomous behaviors (sending outbound messages, running commands, or heartbeat schedules), run the provided acceptance tests and keep the agent's autonomy level conservative until you’ve validated behavior.
Review Dimensions
- Purpose & Capability
- okName/description (agent-builder) match the SKILL.md content: it guides interviews, generates workspace files (SOUL.md, IDENTITY.md, AGENTS.md, etc.), and provides guardrails and tests. No unexpected binaries, credentials, or config paths are requested.
- Instruction Scope
- noteSKILL.md stays on-topic: it instructs the agent to ask clarifying questions and generate workspace files and tests. The included references contain an informational mention of an external 'SkillBoss API Hub' endpoint and embedding services (in references/architecture.md) — this is presented as background/optional integration, not as a required runtime action. Reviewers should confirm the agent or user does not later adopt those external integrations without explicit consent.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only, so nothing is downloaded or written by default. README contains a manual git-clone example with a placeholder GitHub URL (https://github.com/ACCOUNT/...) which appears to be boilerplate rather than an active install hook.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The references explicitly advise not to store secrets in the workspace, which aligns with least-privilege practice.
- Persistence & Privilege
- okalways is false and model invocation is enabled (platform default). The skill does not request permanent presence, nor does it instruct modifying other skills or system-wide settings.