Remote Skill Engine
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious repository or network interception could place altered instructions or scripts into the local skill cache, where the agent may later use them as if installed.
The cache script downloads remote skill files and possible executable scripts while disabling TLS certificate validation, then marks downloaded scripts executable. This makes remote or intercepted content part of the local skill supply chain without integrity checks.
ctx.check_hostname = False ... ctx.verify_mode = ssl.CERT_NONE ... common_scripts = ["fetch-skill.py", "compare-skills.py", "main.py", "run.py"] ... os.chmod(dest, 0o755)
Only allow trusted sources, keep TLS verification enabled, pin versions or hashes, verify signatures where possible, and require a human review before activating downloaded skills.
A downloaded skill can remain available across future sessions and may be triggered later without the user remembering it came from a remote source.
The script persistently links cached remote content into the active skills directory, so the remote skill can continue operating like an installed skill after the original caching action.
skills_symlink = SKILLS_DIR / skill_name ... skills_symlink.symlink_to(cache_path)
Keep remote skills quarantined until explicitly approved, clearly label cached remote skills, provide a verified removal path, and avoid enabling them by default.
A bad update could affect future tasks or multiple cached skills without a clear review checkpoint.
The instructions describe automatic synchronization and bulk updating of cached skills. If a remote skill changes badly or maliciously, the change could propagate into the active skills folder.
# Auto-sync on skill trigger (configurable) ... Set in config.json: {"autoSync": true} ... ./scripts/update-cached-skills.sh --autoDefault auto-sync to off, require approval and change review for each update, and keep rollback metadata for cached skills.
A remote skill file could include instructions that redirect the agent away from the user's intent or encourage unsafe tool use.
The helper loads remote SKILL.md content and presents it as instructions to follow, without a trust boundary separating unreviewed remote text from agent instructions.
print("SKILL LOADED - Following instructions:") ... print("To use this skill, follow the instructions in SKILL.md above")Treat remote skill text as untrusted until reviewed, and enforce higher-priority platform/user policies over any downloaded skill instructions.