Clawsmith
PassAudited by ClawScan on May 10, 2026.
Overview
Clawsmith is a coherent skill-building assistant, but users should manually review generated skills and publishing commands rather than trusting its security and approval claims.
Clawsmith appears safe to use as a drafting and review assistant, but do not automatically trust or publish what it generates. Read each generated SKILL.md, verify metadata and requested tools, inspect any helper scripts, and publish only from the correct ClawHub account after manual review.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed without review, generated content could be saved as an installed skill or published publicly under the user's account.
The skill provides commands that create a local OpenClaw skill directory and publish a skill through the ClawHub CLI. These actions match the stated purpose, but publishing is a public/account-affecting action.
Run mkdir -p ~/.openclaw/skills/your-skill-name ... Run clawhub publish ~/.openclaw/skills/your-skill-name --version 1.0.0
Review generated SKILL.md files and run publish commands manually only after confirming the content, version, account, and destination are correct.
The installed CLI will be part of the local toolchain used to create and publish skills.
The skill depends on installing an external Node package to provide the ClawHub CLI. This is expected for publishing to ClawHub, but users still depend on the provenance of that package.
node | package: clawhub | creates binaries: clawhub
Install the ClawHub CLI from the expected official package source and keep it updated; avoid substituting similarly named packages.
Users may over-trust generated skills or assume publication/security approval is guaranteed.
The skill makes strong assurance-style claims about security review outcomes. The artifact also tells users to review output, so this is not deceptive on its own, but the wording could create overconfidence.
No guesswork. No rejected submissions. No suspicious flags.
Treat the output as a draft, not a guarantee; perform an independent security and metadata review before installation or publication.