autoskill
PassAudited by ClawScan on May 9, 2026.
Overview
The reviewed artifacts show a skill-recommendation helper with read-only project inspection and an optional local installer; no evidence shows exfiltration, destructive behavior, or unsafe automatic skill execution.
This appears safe to use as a skill recommender, but treat it as a coordinator: review its recommendations and approve any follow-on skill use carefully. If you run install.sh, know that it adds a persistent /autoskill command under ~/.claude. The supplied SKILL.md excerpt is truncated in the scan, so review the full SKILL.md before installing if available.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may inspect local project context and recommend or coordinate other skills, so the user should pay attention before approving any follow-on skill use.
The skill can use local inspection tools and the Skill tool, which is appropriate for routing and recommending skills but expands what the agent can coordinate.
allowed-tools: - Bash - Read - Glob - Grep - AskUserQuestion - Skill
Use the skill as a recommender, and approve any suggested skill invocation individually, especially for deployment, billing, account, database, or public-posting actions.
Running the skill can reveal local branch names, changed-file counts, and detected stack information in the agent conversation.
The skill includes a Bash preamble that executes local shell commands such as git status and file-existence checks. The visible commands are read-only and purpose-aligned.
The commands below inspect local git state and detect the project language from config files. They do not modify anything, send data externally, or run project code.
Avoid running it in repositories where even branch names or changed-file summaries are sensitive, or review the preamble output before sharing the conversation.
A user might treat the skill as instructions only while also having a local script available that changes Claude configuration if run manually.
The registry presents the skill as instruction-only while the artifact bundle also contains an installer script. The script is visible and simple, but this is still worth noticing before manual installation.
No install spec — this is an instruction-only skill. Code file presence: 1 code file(s): install.sh
Inspect install.sh before running it, and install only from a trusted copy of the repository or package.
After installation, /autoskill remains available in future Claude Code sessions and will load this skill's instructions when used.
The installer creates persistent local Claude skill and slash-command files. This is disclosed and includes uninstall comments, but it changes future agent behavior until removed.
mkdir -p "$SKILL_DIR" cp "$SCRIPT_DIR/SKILL.md" "$SKILL_DIR/SKILL.md" ... cat > "$CMD_DIR/autoskill.md" << 'EOF'
Install only if you want a persistent /autoskill command; use the uninstall commands in the script comments if you no longer want it.