autoskill
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: autoskill Version: 1.1.1 The 'autoskill' bundle is a meta-skill designed to analyze user problems and recommend relevant skills. It features a robust safety architecture, including a mandatory user confirmation gate (AskUserQuestion) before any skill execution and a high-risk registry to flag sensitive operations like deployment or billing. The bash commands in SKILL.md and the install.sh script are limited to local environment inspection and standard file setup, with no evidence of data exfiltration or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may inspect local project context and recommend or coordinate other skills, so the user should pay attention before approving any follow-on skill use.
The skill can use local inspection tools and the Skill tool, which is appropriate for routing and recommending skills but expands what the agent can coordinate.
allowed-tools: - Bash - Read - Glob - Grep - AskUserQuestion - Skill
Use the skill as a recommender, and approve any suggested skill invocation individually, especially for deployment, billing, account, database, or public-posting actions.
Running the skill can reveal local branch names, changed-file counts, and detected stack information in the agent conversation.
The skill includes a Bash preamble that executes local shell commands such as git status and file-existence checks. The visible commands are read-only and purpose-aligned.
The commands below inspect local git state and detect the project language from config files. They do not modify anything, send data externally, or run project code.
Avoid running it in repositories where even branch names or changed-file summaries are sensitive, or review the preamble output before sharing the conversation.
A user might treat the skill as instructions only while also having a local script available that changes Claude configuration if run manually.
The registry presents the skill as instruction-only while the artifact bundle also contains an installer script. The script is visible and simple, but this is still worth noticing before manual installation.
No install spec — this is an instruction-only skill. Code file presence: 1 code file(s): install.sh
Inspect install.sh before running it, and install only from a trusted copy of the repository or package.
After installation, /autoskill remains available in future Claude Code sessions and will load this skill's instructions when used.
The installer creates persistent local Claude skill and slash-command files. This is disclosed and includes uninstall comments, but it changes future agent behavior until removed.
mkdir -p "$SKILL_DIR" cp "$SCRIPT_DIR/SKILL.md" "$SKILL_DIR/SKILL.md" ... cat > "$CMD_DIR/autoskill.md" << 'EOF'
Install only if you want a persistent /autoskill command; use the uninstall commands in the script comments if you no longer want it.