ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Review

v1.0.1

Review an OpenClaw skill for token efficiency, scriptability, and clean action boundaries; back up first, then improve the skill.

0· 140·0 current·0 all-time
by@kid0114

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kid0114/master-skill-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Review" (kid0114/master-skill-review) from ClawHub.
Skill page: https://clawhub.ai/kid0114/master-skill-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install master-skill-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install master-skill-review
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (a meta-skill that inspects and improves other skills) aligns with the files present: SKILL.md, checklist, and a review script that inspects SKILL.md, scripts/, and references/. The skill does not request unrelated credentials or binaries. However, the human-readable instructions explicitly say the skill may 'inspect and modify' other local skill folders and that it will 'back up first, then modify' — yet the included script only performs read-only analysis and does not implement backing up or modification. That mismatch between claimed behavior (automatic backups/modifications) and provided tooling is notable.
!
Instruction Scope
SKILL.md instructs the agent to read target SKILL.md, scripts/, references/, back up the target, and 'improve the skill structure' (modify files). Those operations are local filesystem reads/writes within other skill folders. The included script (scripts/review_skill.sh) only reads and reports — it does not perform backups or changes. Because the instructions permit file modifications but do not provide audited/explicit scripts to do safe backups or changes, an agent given autonomy could make arbitrary edits. The instructions are also somewhat vague about where backups should be stored and what constitutes an acceptable 'improvement'.
Install Mechanism
No install spec and only an instruction/script bundle—lowest risk for arbitrary remote code download. The only executable provided is a small bash script that performs read-only checks and prints heuristics. No external downloads, package installs, or extract steps are present.
Credentials
The skill requests no environment variables, credentials, or config paths. There are no declared secrets or unrelated credentials, which is proportionate to a local-file review task.
Persistence & Privilege
always:false (normal). The SKILL.md explicitly expects a high-permission 'master' agent that can inspect and modify other local skill folders. That need for elevated local filesystem access is coherent for a meta-reviewer tool, but combined with autonomous invocation (disable-model-invocation:false) it raises practical risk: an agent could autonomously change other skills if given permission. This is a power/privilege consideration rather than an immediate technical exploit—limit autonomous write permissions if you want safer operation.
What to consider before installing
This skill is a plausible meta-review tool and includes only a safe read-only helper script, but its SKILL.md asks the agent to back up and modify other local skills without providing an explicit, auditable backup/modify script. Before installing or enabling autonomous invocation: 1) Require explicit confirmation before any file write — prefer the agent to produce patch suggestions rather than applying changes automatically. 2) Add/verify a dedicated backup script that writes backups to a clearly named, access-controlled location and prints the backup path. 3) Limit which agent identities can run this skill with write permission (prefer read-only for general users). 4) Audit any future scripts that actually perform writes before granting run privileges. If you want minimal risk, use the included review_skill.sh for read-only analysis only and do manual backups and edits yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ftp3ghydqrk29md1esxnk983x79g
140downloads
0stars
2versions
Updated 4w ago
v1.0.1
MIT-0
@kid0114
latest
Download

Skill Review

What this skill does

This meta-skill reviews another skill and checks whether it:

  • is too verbose
  • should move repetitive mechanical steps into scripts
  • wastes tokens through repeated explanation
  • clearly separates default execution from confirmation-required actions

Typical ownership / permission level

  • This skill is typically used by the master agent.
  • It often requires higher local permissions because it may inspect and modify:
    • SKILL.md
    • references/
    • scripts/
    • other local skill folders

Core rules

  • Prefer thin markdown + heavier scripts.
  • If a step can be scripted, it should usually be scripted.
  • If no extra requirements exist, prefer executing scripts instead of repeatedly re-explaining a process in chat.
  • SKILL.md should hold rules, boundaries, and confirmation points.
  • scripts/ should hold mechanical checks, copying, verification, and repeatable operations.
  • references/ should stay lightweight.
  • After review, the default is: back up first, then modify, then show evidence.

Standard flow

  1. Read the target SKILL.md
  2. Inspect scripts/ and references/
  3. Identify verbosity, duplication, and non-scripted mechanical steps
  4. Back up the target skill files
  5. Improve the skill structure
  6. Show backup paths, changes made, and final evidence

Included files

  • references/checklist.md
  • scripts/review_skill.sh

Recommended command

bash skills/master-skill-review/scripts/review_skill.sh <skill-dir-or-skill-md>

Do not

  • Do not keep heavy explanations in SKILL.md when a script can do the work.
  • Do not modify a target skill without first backing it up.
  • Do not leave action boundaries unclear.

Comments

Loading comments...