Yao Tutorial Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: yao-tutorial-skill Version: 0.2.3 The skill bundle is a legitimate and well-structured tool designed to generate educational tutorials with automated research, visual diagrams, and multi-format exports (DOCX, PDF, HTML). It utilizes Python scripts (e.g., export_tutorial.py, capture_visuals.py) to interface with standard tools like Pandoc and headless browsers for document processing and screenshot generation. The code follows security best practices by using subprocess lists instead of shell strings, and the SKILL.md instructions are strictly focused on tutorial quality and source verification without any signs of malicious prompt injection or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may execute local Python scripts in your environment to create files, screenshots, and exports.
The workflow explicitly runs local helper scripts to generate visuals, exports, and validation results. This is central to the stated tutorial-export purpose, but it is still local code execution.
create `visuals/visual-spec.json`, then run `build_visual_pack.py` and `capture_visuals.py` ... run `export_tutorial.py` and then `validate_package.py`
Run it from a trusted copy of the skill, review helper scripts if the environment is sensitive, and avoid running it in directories containing unrelated private data.
You may need to rely on the packaged files and your own review rather than a fully declared registry source and install process.
The registry metadata provides limited source/install provenance while the package includes runnable scripts. The artifacts are disclosed and static scan is clean, so this is a provenance note rather than a security concern.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... Code file presence: 5 code file(s)
Prefer a trusted source repository when available, review local scripts before execution, and install any needed document/export tools from trusted package sources.
Private notes or source details you provide may remain in the generated local research folder even if they are removed from public exports.
The skill intentionally stores structured records about user-provided materials in local research files. This supports auditability, but those files can preserve private notes, labels, or summaries.
Record the classification in `research/user-materials-register.md` ... `| U1 | pasted note | ... | key_takeaway | limits_or_cautions |`
Do not provide confidential material unless you are comfortable with local research artifacts being created; review or delete the `research/` folder before sharing the package.
A shared final tutorial may not visibly say which parts came from user-provided materials or internal source packets.
The final public artifact is instructed to avoid exposing internal provenance wording. This is disclosed and aligned with producing a polished deliverable, but it can reduce transparency if the user expects visible attribution.
The final tutorial ... should not say it is based on a pasted article, user notes, source packet, X thread, draft, or original text. Absorb user references silently into the structure
Before publishing or distributing the output, review the reference section and add any attribution or provenance disclosure required for your audience, license, or organization.