Skill Engineer
v3.2.0Design, test, review, and maintain agent skills for OpenClaw systems using multi-agent iterative refinement. Orchestrates Designer, Reviewer, and Tester suba...
⭐ 1· 837·4 current·4 all-time
byChunhua Liao@chunhualiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (design, review, test skills) align with the included materials: detailed SKILL.md, reviewer/tester/designer guides, and deterministic validation scripts. The declared non-code registry metadata (no env vars/binaries) matches the instruction-only install model; mandatory dependencies listed in SKILL.md (deepwiki skill, vector memory DB) are coherent for an orchestrator that needs current API behavior and session history.
Instruction Scope
SKILL.md instructs querying the agent's vector memory (memory_search), inspecting local OpenClaw files/paths (e.g., ~/.openclaw/skills/deepwiki/ and openclaw.json) and contains a README sync / push-to-GitHub step. Those actions reach beyond the skill's own files and ask for access to session history, local config and repository operations. While plausible for a skill-engineer, they are significant side-effects and broaden the trust surface.
Install Mechanism
No install spec or remote downloads; this is instruction-only with packaged reference docs and local validation scripts. That's low-install risk — nothing is fetched from external URLs or extracted. The provided scripts are local deterministic tools (bash/python) that operate on repository files.
Credentials
Registry metadata requests no environment variables or credentials. However, SKILL.md requires the vector memory feature and the deepwiki skill and tells the agent to inspect openclaw.json and user skill directories. This does not request new secrets, but it implies access to potentially sensitive session history and local configuration; that access is plausible for the role but should be intentionally granted and audited.
Persistence & Privilege
always:false and normal autonomous invocation are set (not elevated). But the workflow explicitly includes a README sync that regenerates README from the implementation and a 'Push to GitHub' step. That implies write/commit and remote push privileges over repositories. The package itself doesn't include automated push code, but the documented workflow expects the orchestrator to perform repo-side changes — a capability that increases impact and should require explicit authorization and careful scoping.
What to consider before installing
This skill mostly does what it says, but it asks agents to: (1) query your vector memory (session history/notes), (2) read OpenClaw config and skill files in your home/workspace, and (3) regenerate README and push changes to GitHub. Before installing or enabling autonomous use:
- Review and run the included scripts locally yourself (check-completeness.sh, validate-scorecard.sh, validate-trigger.sh, quality-score.py) to see what they do and to confirm there are no unexpected network calls.
- Restrict or disable autonomous push-to-GitHub behavior: require manual approval for any git commits/pushes or run the README-sync step locally.
- Be deliberate about enabling vector memory access (memory_search) because it exposes session history/notes; if that data is sensitive, keep memory.enabled disabled or limit the skill's permissions.
- Ensure the dependent deepwiki skill is from a trusted source before using it.
If you want higher assurance, run the skill in a sandboxed repo/environment first and require human approval before giving it repository write/push rights or access to session memory.Like a lobster shell, security has layers — review code before you run it.
latestvk97fkfwmcdq95gcd1bk4yh651h829bck
License
MIT-0
Free to use, modify, and redistribute. No attribution required.