ClawHub

Skill Explorer

v1.0.0

Systematically discover, evaluate, compare, and assess OpenClaw skills to find the right, safe, and high-quality option for your specific task.

0· 524·5 current·6 all-time
byRiver Yan@riverfor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name, description, SKILL.md workflow, and the provided helper script all align: this is a discovery/evaluation framework that inspects and downloads other skills for review. The included scripts and checks (search, inspect, download, grep-based pattern checks) are appropriate for the stated goal.
Instruction Scope
The instructions and script direct the agent/user to download other skills (clawhub install) and scan their files; that is expected for a security review tool. However, SKILL.md and scripts assume availability of external CLI tools (clawhub, jq, grep, find, etc.) but those binaries are not declared in the skill metadata. Also the workflow explicitly suggests using --force for 'suspicious' skills, which increases risk when applied without proper sandboxing.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. The skill does include a helper shell script (scripts/explore.sh) that will be present if you install the skill; the script itself performs only inspection and grep/find operations and creates a temporary directory under /tmp.
Credentials
The skill requests no environment variables or credentials, which is proportional. Minor inconsistency: the runtime instructions assume tools (clawhub and jq) that are not declared as required binaries, so the skill may fail or mislead users who do not have those tools installed from trusted sources.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not attempt to modify system-wide settings. Its actions (downloading skills to /tmp and scanning them) are scoped to temporary directories and the user's invocation context.
Assessment
This skill appears to do what it says: search for, download to /tmp, and statically analyze other skills. Before using it, consider the following: (1) it assumes the presence of clawhub and jq but does not declare them — install those from trusted sources or the script will fail; (2) the helper will download arbitrary skills (clawhub install), so run it in a sandbox or VM and avoid running with elevated privileges; (3) downloaded skills may include install hooks or scripts — inspect files before executing anything inside them; (4) the script suggests forcing installs for 'suspicious' skills — avoid --force unless you understand the risk; (5) if you need higher assurance, manually review any network endpoints or hardcoded tokens found by the scanner and run antivirus/static-analysis tools on downloaded artifacts.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gcx6gy5h4xjhb79hm3qtn5822z20

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments