OpenClaw Skill Growth
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only wrapper for a skill-maintenance plugin, but users should review the external GitHub project and dry-run any changes before applying them to skills.
This wrapper itself is clean and clearly describes a user-driven maintenance workflow. Before installing the linked GitHub project, review the repository and dependencies, start with report or dry-run modes, inspect any generated patches, and only apply changes to a limited skill directory after confirming the proposed edits are safe.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the real project means code and dependencies outside this ClawHub package will run on the user's machine.
The wrapper directs users to fetch and install the real plugin from GitHub rather than including the plugin code in this ClawHub package. This is disclosed and expected for a wrapper, but users are trusting external code and npm dependencies.
git clone https://github.com/Shuai-DaiDai/openclaw-skill-growth.git cd openclaw-skill-growth npm install
Review the GitHub repository, release, package metadata, and dependency lockfile before installing; prefer a tagged release and a normal development environment.
If applied carelessly, generated patches could change how installed skills behave in later tasks.
The documented workflow can modify SKILL.md files. This is central to the skill's purpose and is paired with preview, dry-run, backup, and review language, but changing skills can affect future agent behavior.
preview patches before changing skill files - apply updates with backups, version bumping, and change history ... npm run apply
Use report and dry-run modes first, inspect generated patches, restrict the target skill directory, and keep backups before running any apply flow.
Sensitive information from run history may be copied into reports or proposals, and poor-quality log data could lead to poor skill-change suggestions.
The workflow consumes run logs and writes derived reports/proposals to disk. This is purpose-aligned, but run logs may contain sensitive task content or untrusted text that could influence generated recommendations.
node dist/cli.js report \ --skills-dir ./path/to/skills \ --runs-file ./path/to/runs.jsonl \ --out-dir ./output
Use curated run logs, keep outputs in a private directory, scrub sensitive data when possible, and treat generated diagnoses and proposals as review material rather than automatic truth.