Skill Dependencies
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: skill-deps Version: 1.0.0 The skill bundle is designed for dependency management, including installing skills from a remote registry. The `scripts/skill-install.sh` file makes network calls to `clawhub.com` to fetch skill metadata and then invokes `openclaw skill install` or `clawhub install` to download and install skills. While these actions are aligned with the stated purpose of a dependency management skill, installing remote code from an external registry (clawhub.com) is a high-risk operation, classifying it as 'suspicious' due to risky capabilities without clear malicious intent. No evidence of intentional harmful behavior like data exfiltration or persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the installer could add multiple skills to your OpenClaw environment without reviewing each one individually.
The script is designed to install every resolved skill/dependency and explicitly suppresses OpenClaw installer confirmation; installing skills can change future agent behavior, and the artifacts do not show a separate approval or dry-run step.
for skill in "${!TO_INSTALL[@]}"; do ... openclaw skill install "$skill" --yesRequire an explicit list-and-confirm step before installation, remove or avoid --yes by default, and validate dependency names before passing them to installer commands.
You may install a different skill version than the one requested or expected, which weakens dependency and supply-chain control.
The script parses and stores requested versions, but the actual install commands use only the skill name, so advertised version-specific installs or resolved dependency constraints may be ignored.
SKILL_VERSION="${SKILL_SPEC#*@}" ... version="${TO_INSTALL[$skill]}" ... openclaw skill install "$skill" --yes ... clawhub install "$skill"Pass the exact resolved name@version to the installer, display resolved versions before installing, and use lockfiles or signed/verified registry metadata where available.