Skill Forge
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: skills-forge Version: 1.4.0 The 'skills-forge' bundle provides a framework for agents to self-evolve by detecting capability gaps, generating new code scaffolds, and installing them. It possesses high-risk capabilities, including file system mutation, external network communication via the Telegram API (scripts/install/telegram_approval.py), and persistence via macOS LaunchAgents (scripts/somnia/schedule_nightly_review.py). While the bundle includes significant defensive features—such as HMAC-signed approval tokens (scripts/lib/approval.py), a secret scanner (scripts/security/scan_secrets.py), and a robust redaction engine to prevent PII/secret exfiltration (scripts/replay/replay_common.py)—the inherent nature of a tool designed to modify its own runtime environment and establish scheduled persistence is high-risk and warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Approving an install or uninstall could change what the agent is able or instructed to do in future sessions.
The skill can install or uninstall skills, which can change the agent runtime, but the documented workflow requires signed approval for applying mutations.
`forge` | Detect, scaffold, validate, evaluate, and optionally request install approval | install only with signed approval ... `uninstall` ... apply requires signed approval
Use plan-only mode first, inspect generated skill folders and install plans, and approve only changes you understand.
If Telegram approval is enabled, the agent or local process may need access to Telegram bot credentials and a chat ID.
Telegram approval uses bot/chat configuration values, which are sensitive integration credentials even though the registry metadata lists no required environment variables.
parser.add_argument("--telegram-bot-token-env", default="TELEGRAM_BOT_TOKEN") ... parser.add_argument("--telegram-chat-id-env", default="TELEGRAM_CHAT_ID")Keep Telegram tokens out of logs and prompts, use least-privilege bot credentials, and verify approval requests before responding.
Private task details or poisoned feedback could be reused when proposing future skill changes.
Persistent feedback can influence future skill updates. The design uses reviewed candidates rather than direct mutation, but stored feedback can still carry sensitive or misleading content.
After installation, usage feedback is recorded as append-only JSONL. Feedback can produce a new update candidate, but installed skills are not edited in place.
Avoid putting secrets in feedback, review redacted feedback/replay files before approving evolved skills, and do not approve updates based on untrusted feedback.
If scheduled, it may keep reviewing installed skills outside the immediate interactive task.
The skill includes optional scheduled/background review behavior, but the documentation limits it to scanning/reporting unless configured otherwise.
During sleep hours, a scheduled job can scan installed skills and produce a health report ... It must not install updates unless explicitly configured with an approval mode.
Enable nightly review only intentionally, understand its scope, and keep mutation approval modes disabled unless needed.