Skill Vetter
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only security checklist with no code, install steps, credentials, or persistence, with only minor provenance and optional command-use notes.
This skill is reasonable to use as a security checklist. Before installing, verify the source because the registry and embedded metadata differ, and review any optional curl/jq command before running it against a repository.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill appears benign, but the mismatch means users should double-check that they are installing the intended publisher/package.
The embedded metadata does not match the supplied registry metadata owner ID and slug, creating a minor provenance inconsistency even though there is no runnable code.
"ownerId": "kn71j6xbmpwfvx4c6y1ez8cd718081mg", "slug": "skill-vetter"
Verify the registry listing and publisher identity before relying on this skill, especially if it was obtained from an unknown source.
If used, the agent may contact GitHub and download repository content for review.
The skill documents optional shell/network commands for fetching GitHub repository metadata and skill files; this is purpose-aligned but still involves external requests.
curl -s "https://api.github.com/repos/OWNER/REPO" ... curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
Run these commands only with the intended OWNER, REPO, and SKILL_NAME values, and review fetched content before installing anything.