Yao Tutorial Skill
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent tutorial generator, but it does run local helper scripts and may save user-supplied materials or provenance in local research files.
This skill appears safe to use for its stated purpose. Treat it like a local document-production tool: run it only from a trusted copy, install export dependencies from trusted sources, avoid supplying highly confidential material unless you plan to review/delete the research folder, and check final citations/provenance before sharing outputs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may execute local Python scripts in your environment to create files, screenshots, and exports.
The workflow explicitly runs local helper scripts to generate visuals, exports, and validation results. This is central to the stated tutorial-export purpose, but it is still local code execution.
create `visuals/visual-spec.json`, then run `build_visual_pack.py` and `capture_visuals.py` ... run `export_tutorial.py` and then `validate_package.py`
Run it from a trusted copy of the skill, review helper scripts if the environment is sensitive, and avoid running it in directories containing unrelated private data.
You may need to rely on the packaged files and your own review rather than a fully declared registry source and install process.
The registry metadata provides limited source/install provenance while the package includes runnable scripts. The artifacts are disclosed and static scan is clean, so this is a provenance note rather than a security concern.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence: 5 code file(s)
Prefer a trusted source repository when available, review local scripts before execution, and install any needed document/export tools from trusted package sources.
Private notes or source details you provide may remain in the generated local research folder even if they are removed from public exports.
The skill intentionally stores structured records about user-provided materials in local research files. This supports auditability, but those files can preserve private notes, labels, or summaries.
Record the classification in `research/user-materials-register.md` ... `| U1 | pasted note | ... | key_takeaway | limits_or_cautions |`
Do not provide confidential material unless you are comfortable with local research artifacts being created; review or delete the `research/` folder before sharing the package.
A shared final tutorial may not visibly say which parts came from user-provided materials or internal source packets.
The final public artifact is instructed to avoid exposing internal provenance wording. This is disclosed and aligned with producing a polished deliverable, but it can reduce transparency if the user expects visible attribution.
The final tutorial ... should not say it is based on a pasted article, user notes, source packet, X thread, draft, or original text. Absorb user references silently into the structure
Before publishing or distributing the output, review the reference section and add any attribution or provenance disclosure required for your audience, license, or organization.