skill_install
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent skill installer, but its ZIP handling and validation are too weak for a tool that persistently changes OpenClaw’s installed skills and restarts the Gateway.
Only use this installer with ZIP files you already trust and have reviewed. Before installing, inspect the package’s SKILL.md, _meta.json, and any scripts, and expect the Gateway to restart so the new skill becomes active immediately. The installer should be fixed to sanitize paths, verify package metadata/provenance, and add clearer confirmation before persistent changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted skill package could cause the installer to write files, or after confirmation delete files, outside the intended skills folder if the user runs it with sufficient permissions.
The target install path is built from a skill name read from the ZIP’s SKILL.md without shown sanitization or a check that the resolved path stays under the OpenClaw skills directory; the code then removes or copies directories at that path.
skill_name = line.split(':', 1)[1].strip()
...
target_dir = os.path.join(self.skills_dir, skill_name)
...
shutil.rmtree(target_dir)
...
shutil.copytree(skill_source, target_dir)Reject absolute paths and path traversal in skill names, resolve the final path with realpath, require it to remain inside the skills directory, and only delete/copy after showing a safe normalized destination.
A local ZIP that merely looks structurally valid could add persistent agent instructions or executable helper files to OpenClaw.
The shown validation only requires SKILL.md to exist and start with frontmatter; it does not verify provenance, signatures, checksums, _meta.json, or the safety of included scripts before installing the skill.
def validate_skill_structure(self, skill_path: str) -> Tuple[bool, str]:
...
skill_md = os.path.join(skill_path, "SKILL.md")
if not os.path.exists(skill_md):
return False, "缺少 SKILL.md 文件"
...
if not content.startswith('---'):
return False, "SKILL.md 格式错误: 必须以 --- 开头"Install only reviewed and trusted ZIPs. The installer should verify _meta.json, constrain accepted package structure, check provenance or signatures when available, and present a permission/content summary before installation.
Any mistake or unsafe content in an installed ZIP can affect the running OpenClaw environment right away.
After copying the skill into the OpenClaw skills directory, the script restarts the Gateway, making the new skill available immediately.
shutil.copytree(skill_source, target_dir)
...
subprocess.run(
["openclaw", "daemon", "restart"],Review the ZIP contents before installing, consider adding an explicit final confirmation before Gateway restart, and keep a rollback path for removing the installed skill.
Users may trust the installer to reject incomplete or suspicious skill packages when the shown checks are much narrower.
The documentation claims _meta.json validation, but the provided validator code only shows a SKILL.md existence/frontmatter check, which can mislead users about the strength of safety validation.
- **Validation**: Validates skill structure (SKILL.md, _meta.json) ... - Verify SKILL.md and _meta.json exist
Align the documentation with the actual checks, or implement the promised _meta.json and package validation before advertising it as safety validation.