Frankenstein
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: frankenstein Version: 1.2.0 The 'Frankenstein' skill is designed to combine parts of other AI skills, which inherently involves searching external repositories and analyzing/executing third-party code. However, the SKILL.md explicitly mandates robust security measures: using `skill-auditor` for security scanning, analyzing skills in `sandwrap read-only mode`, and skipping any skills with high risk scores. While the instructions to the agent are highly prescriptive (e.g., model selection, iterative vetting loops), they are consistently aimed at ensuring the quality and security of the *generated* skill, not at subverting the agent or performing malicious actions. There is no evidence of intentional harmful behavior like data exfiltration or unauthorized execution beyond the stated purpose and its explicit safeguards.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated skill could inherit unsafe, low-quality, or untrusted behavior from external skills if the sources and copied components are not reviewed.
The workflow intentionally gathers skills from broad third-party sources and may reuse their scripts in a newly generated skill. This is central to the purpose, but it makes provenance and source review important.
Search EVERY AI skills repository ... GitHub ... skills.sh ... skillsmp.com ... Other sources to check ... Include scripts from winners
Review the listed source skills, their scripts, licenses, and scanner results before approving or installing the generated Frankenstein skill.
Malicious or manipulative text inside a source skill could influence the generated skill if not filtered during analysis.
The skill asks the agent to read untrusted instruction files and reuse selected approaches in a persistent new skill. Those source files may contain prompt-injection text or instructions that should be treated as data, not obeyed.
Look for: SKILL.md, CLAUDE.md, or similar agent instruction files ... Take the winning approach for each feature
During review, ensure source instructions are quarantined as untrusted content, remove any meta-instructions or hidden behavioral changes, and verify the final SKILL.md independently.
If the helper tools or candidate install steps are misconfigured, the workflow may touch local files or create outputs the user did not expect.
The skill relies on local helper tools to fetch, scan, sandbox, and build skills. This is purpose-aligned and includes safety steps, but the tools are powerful enough that users should confirm what will be run.
Install to temp directory ... Run skill-auditor scan ... Analyze safe skills in sandwrap read-only mode ... Use skill-creator to assemble
Use trusted versions of the helper tools, keep candidate installs in temporary directories, and confirm the final creation step before saving.
Source content, draft skill text, or user requirements may be shared with spawned analysis sessions.
The skill can delegate analysis to sub-agents. This is disclosed and aligned with the analysis-heavy purpose, but the artifact does not define strict boundaries for what context is shared with those sub-agents.
When spawning analysis sub-agents ... sessions_spawn( task: "FRANKENSTEIN ANALYSIS: [topic]...", model: "opus" )
Avoid including secrets or private project data in prompts to this skill, and review what information is sent to any spawned analysis agents.