Skill Dependencies
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the installer could add multiple skills to your OpenClaw environment without reviewing each one individually.
The script is designed to install every resolved skill/dependency and explicitly suppresses OpenClaw installer confirmation; installing skills can change future agent behavior, and the artifacts do not show a separate approval or dry-run step.
for skill in "${!TO_INSTALL[@]}"; do ... openclaw skill install "$skill" --yesRequire an explicit list-and-confirm step before installation, remove or avoid --yes by default, and validate dependency names before passing them to installer commands.
You may install a different skill version than the one requested or expected, which weakens dependency and supply-chain control.
The script parses and stores requested versions, but the actual install commands use only the skill name, so advertised version-specific installs or resolved dependency constraints may be ignored.
SKILL_VERSION="${SKILL_SPEC#*@}" ... version="${TO_INSTALL[$skill]}" ... openclaw skill install "$skill" --yes ... clawhub install "$skill"Pass the exact resolved name@version to the installer, display resolved versions before installing, and use lockfiles or signed/verified registry metadata where available.