ClawHub

Skill Forge 2026 03 21

v1.0.0

Skillsmith-JOJO — 完美主义技能工坊,JOJO's Workshop 出品。 专为完美主义者设计的 AI 技能开发工具,提供从零到发布的完整工作流。 使用场景: - 用户说"创建一个新技能"、"帮我做一个技能" - 用户说"优化这个技能"、"改进 SKILL.md" - 用户说"审计技能"、"检查...

0· 60·0 current·0 all-time
by@skillforge-jojo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a skills-development toolkit and includes templates, test, security, and token-analysis scripts which align with the description. Minor mismatch: the top-level metadata declares only python3 as a required binary, but the git-related template and several scripts assume the git CLI is present (git-assistant/SKILL.md lists git). Requiring git would be reasonable for a toolkit that includes Git helpers; the omission is a small inconsistency.
Instruction Scope
Runtime instructions are limited to creating/validating/testing skills (run skill-test.py, security-check.py, token-analyzer.py) and using standard publish tooling. The included scripts read and analyze files under the target skill directory but do not transmit data to external endpoints. No instructions ask the agent to read unrelated system secrets or phone home.
Install Mechanism
No install spec is provided (instruction-only with bundled code). All included code is present in the bundle; nothing is downloaded from arbitrary URLs and there is no archive extraction or external install step declared.
Credentials
The skill declares no required environment variables or credentials. The tools recommend using 'clawhub' (a separate CLI) for publishing, but that is optional and not requested as a credential by the package. There are no hidden credential-looking env vars in the files.
Persistence & Privilege
The skill is not always-included and allows normal user invocation; it does not request persistent system-wide privileges or modify other skills' configurations. Its scripts operate only on skill directories and local files.
Assessment
This appears to be a legitimate skill-development toolkit. Before installing/using it: 1) ensure your environment has git if you plan to use the Git templates (git is referenced in git-assistant but not declared at top-level); 2) inspect any skill you test with these tools to ensure it does not contain secrets (security-check.py flags patterns like .ssh or .aws but only scans files — it does not exfiltrate data); 3) review the use of 'clawhub publish' and the clawhub CLI before publishing (it may require separate authentication); and 4) if you will run these scripts on directories containing sensitive material, run them in a safe environment or sandbox first. If you want higher assurance, ask the author to add git to the top-level required binaries and provide a short README describing published-package dependencies and expected runtime behaviors.

Like a lobster shell, security has layers — review code before you run it.

latestvk97490dzzbgv3f9nzfry7qv23s849b1x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚒️ Clawdis
Binspython3

Comments