Skill Auto-Injection
PassAudited by ClawScan on May 16, 2026.
Overview
The plugin appears to do its stated job of matching installed local skills and adding suggestions to the prompt, but users should understand that it changes prompt context, calls a configured Ollama endpoint, and writes local cache files.
Install this only if you want automatic skill suggestions in the agent prompt. Keep the model endpoint local or trusted, use trusted local skills, review the prompt-injection policy setting, and verify the plugin ID before enabling it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installed skills may be suggested to the agent automatically, so a misleading or untrusted local skill description could influence which capabilities the agent considers.
The plugin intentionally inserts matched skill information into the prompt context and documents that prompt-injection blocking may need to be relaxed for it to work.
If policy-layer blocks prompt injection, skill matching results won't appear in context: ... "allowPromptInjection": true
Use this only with trusted installed skills, keep match limits and thresholds conservative, and avoid broad prompt-injection allowances unless you understand their effect.
If configured to use a remote or shared Ollama endpoint, private prompts or skill descriptions could leave the local machine.
User request text is sent to the configured Ollama-compatible API endpoint for translation/LLM operations; the default is localhost, but the endpoint is configurable.
baseUrl: process.env.OLLAMA_BASE_URL || "http://localhost:11434" ... prompt: `Translate the following user request to English... User request: ${text}`Keep the Ollama base URL local or otherwise trusted, and avoid sending sensitive prompts through an untrusted model endpoint.
A poorly described or malicious local skill could poison its cached keywords and be surfaced more often in future prompts.
The plugin persists LLM-derived embeddings and keywords next to each skill and later reuses them for matching.
const metaPath = join(skillDir, "skill-meta.json"); ... await writeFile(metaPath, JSON.stringify(meta, null, 2), "utf-8");
Install skills only from trusted sources and delete or regenerate skill-meta.json cache files after changing or removing questionable skills.
A user may configure or inspect the wrong plugin ID if they do not notice the mismatch.
The artifacts acknowledge a naming/configuration mismatch, which can confuse plugin allowlists and verification.
Problem: `plugin id mismatch (config uses "skill-ai-inject", export uses "skill-auto-injection")` ... Always use `skill-auto-injection` as the canonical ID
Verify the installed plugin identity, source repository, and OpenClaw allowlist entry before enabling it.