Skill Dependencies
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its dependency-management purpose, but its installer can change installed OpenClaw skills from registry data without a clear approval or version-pinning safeguard.
The read-only scan and tree commands appear aligned with the stated purpose. Be cautious with skill-install.sh: review the dependency list and intended versions yourself before installing, because adding skills is a persistent change to your agent environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the installer could add multiple skills to your OpenClaw environment without reviewing each one individually.
The script is designed to install every resolved skill/dependency and explicitly suppresses OpenClaw installer confirmation; installing skills can change future agent behavior, and the artifacts do not show a separate approval or dry-run step.
for skill in "${!TO_INSTALL[@]}"; do ... openclaw skill install "$skill" --yesRequire an explicit list-and-confirm step before installation, remove or avoid --yes by default, and validate dependency names before passing them to installer commands.
You may install a different skill version than the one requested or expected, which weakens dependency and supply-chain control.
The script parses and stores requested versions, but the actual install commands use only the skill name, so advertised version-specific installs or resolved dependency constraints may be ignored.
SKILL_VERSION="${SKILL_SPEC#*@}" ... version="${TO_INSTALL[$skill]}" ... openclaw skill install "$skill" --yes ... clawhub install "$skill"Pass the exact resolved name@version to the installer, display resolved versions before installing, and use lockfiles or signed/verified registry metadata where available.