Skill Father
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is a coherent standards template for creating other skills, with no code or install steps, but it does encourage future skills to persist local config and make user-approved setup changes.
This skill appears safe as an instruction-only standards template. When using it to create or update other skills, carefully review any generated onboarding scripts, config-file writes, credential use, service restarts, or SSH/config changes before approving them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A child skill built from this guidance may ask to change local configuration files, which can affect how tools or SSH behave.
The skill tells authors to build onboarding flows that can modify existing local configuration files. This is sensitive local mutation authority, but the same instructions require review and per-item user confirmation.
If editing an existing system config file (e.g. `~/.config/openclaw/env`, `~/.ssh/config`): ... show current vs new ... prompt the user per item: keep / override / skip
Approve only setup changes you understand, review current-versus-new diffs, and keep backups for important config files.
Skills created with this template may depend on logged-in services or service-account tokens.
The skill uses credential-backed workflows as examples for child skills. This does not request credentials for this skill, but it signals that generated skills may rely on account/session authority.
`op whoami` must succeed (or, if service accounts are used, required env vars like `OP_SERVICE_ACCOUNT_TOKEN` must be set).
For any generated child skill, verify which account or token it uses and ensure permissions are limited to the needed service and task.
Machine-specific values may remain stored in the skill folder and influence later runs or be accidentally shared if the folder is copied.
The guidance encourages persistent local configuration that future skill runs may rely on. This is expected for reproducible onboarding, but real config can contain sensitive or machine-specific values.
Persist outcomes into the real skill-local config file ... `config.env` ... real machine-specific config (generated/updated by onboarding)
Keep real config files private, avoid storing raw secrets when a vault reference will work, and exclude generated config from shared packages or version control.