Parse YAML/JSON/TOML front-matter from strings or files using the gray-matter library
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent front-matter parser, but it automatically installs an unpinned npm package the first time it runs, so it needs review before use.
Install only if you are comfortable with the skill running npm install for gray-matter on first use. Prefer pinning and preinstalling the dependency in a reviewed environment, and run the parser only on files you intend to expose to the agent.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The first use of the skill may fetch and run external package code and persist dependencies locally without a separate install approval step.
If gray-matter is missing, simply running the parser downloads and installs an unpinned npm package at runtime. This is purpose-related but bypasses a reviewed, pinned install mechanism and can execute npm dependency installation behavior.
execSync('npm install gray-matter', { cwd: scriptsDir, stdio: 'ignore' });Use a reviewed install spec with pinned versions and a lockfile, or require the user to preinstall the dependency explicitly. Avoid runtime npm install, or at minimum use pinned dependencies and consider disabling lifecycle scripts where feasible.