Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SkillForge
v1.0.4Generate and audit OpenClaw agent skills from natural language. Use when the operator asks to create a skill, build a skill, generate a skill, audit a skill,...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (generate & audit skills) align with the instructions in SKILL.md. However, SKILL.md expects npm and the ClawHub CLI (clawhub login/publish) to be available, while the registry metadata says 'Required binaries: none'—this is an inconsistency. skill.json points to a GitHub repo as the source, but the registry-level 'Homepage: none' contradicts that.
Instruction Scope
The runtime instructions stay within the stated purpose: run the SkillForge CLI to generate/audit skill directories and (when --pro is used) send skill contents to the user-selected AI provider. The SKILL.md explicitly warns not to audit directories containing secrets. It does not instruct the agent to read unrelated files, hidden system paths, or undisclosed environment variables.
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md instructs users to run npm install -g @shadoprizm/skillforge. Installing a third-party global npm package runs arbitrary code on the host — this is expected for a CLI but increases risk and should be validated by inspecting the package and its GitHub source. No direct install URL or extract-from-unknown-host behavior is present, which is good, but the absence of an install spec in registry metadata plus contradictory homepage information is a minor red flag.
Credentials
No required env vars are declared at the registry level, and the skill.json sensibly lists several optional API keys (ZAI_API_KEY, OPENAI_API_KEY, OPENROUTER_API_KEY, QWEN_API_KEY) needed only for Pro features — this is proportionate. However, skill.json states keys are stored locally under ~/.skillforge using the 'conf' package and describes storage inconsistently (calls it both encrypted and plaintext-like). Storing API keys locally in cleartext (or in a location with bash-like permissions) is sensitive and should be considered before use.
Persistence & Privilege
The skill does not request always:true, does not declare system config path access, and does not attempt to modify other skills. It uses normal autonomous invocation defaults. No elevated persistence or cross-skill config changes are requested.
What to consider before installing
Before installing or running this skill, verify the upstream npm package and GitHub repository (https://github.com/shadoprizm/skillforge) yourself: inspect the package source, release history, and maintainer. Do not run --pro or audit commands against directories containing secrets, private keys, or production API keys — the tool will send skill contents to whichever AI provider you configure. Consider using an ephemeral/test API key for Pro mode, and confirm how keys are stored (the SKILL.md/skill.json indicate keys are saved under ~/.skillforge via 'conf', which may be plaintext). Also note the registry metadata omission: SKILL.md expects npm and clawhub CLI presence even though 'Required binaries' is empty; ensure you have and trust those tools before proceeding.Like a lobster shell, security has layers — review code before you run it.
auditorvk97a9c7gsd2a60tnzraqrcy77n83z2v9generatorvk97a9c7gsd2a60tnzraqrcy77n83z2v9latestvk97a9c7gsd2a60tnzraqrcy77n83z2v9qualityvk97a9c7gsd2a60tnzraqrcy77n83z2v9skillforgevk97a9c7gsd2a60tnzraqrcy77n83z2v9skillsvk97a9c7gsd2a60tnzraqrcy77n83z2v9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.