!
Purpose & Capability
Name/description match the code: listing, checking updates, updating (git/skillhub) and uninstalling skills. However, the script uses hard-coded absolute Windows paths (e.g., C:\Users\andy8\.qclaw\...) while SKILL.md/README describe scanning ~/.qclaw/... (tilde). Registry metadata also lists no required binaries whereas SKILL.md frontmatter requires python3. The hard-coded paths are unexpected and indicate the script wasn't generalized for other users.
!
Instruction Scope
SKILL.md instructs running the included Python script for list/check/update/uninstall. The script performs broad filesystem scans (searching for config/.env/.yaml, openclaw.json references, workspace TMP/scripts/output/archive, etc.) and will present removal actions. That scanning is related to 'thorough uninstall' advertised, but it's wide-reaching and can touch many user files; combined with hard-coded paths this is surprising. Confirm dry-run behavior and review uninstall/delete code before executing actions that remove files.
✓
Install Mechanism
No install spec — the skill is delivered as source + SKILL.md and expects Python to run the script. This is the lowest install risk (nothing is automatically downloaded or executed on install).
ℹ
Credentials
The skill declares no required env vars or credentials, and network calls are only to ClawHub (https://clawhub.com/api/v1/skill/{slug}) which is consistent with checking SkillHub metadata. However the script will detect and report presence of config files and credential-like files under the scanned skill directory and other OpenClaw config locations — reasonable for an uninstall helper but sensitive. There are no declared requests for unrelated credentials, which is good.
✓
Persistence & Privilege
The skill does not set always:true and does not request special platform-wide privileges. It will interact with skillhub.lock.json and local skill directories as part of its management duties (expected).
Scan Findings in Context
[hardcoded-paths] unexpected: The script defines Windows-specific absolute paths (C:\Users\andy8\.qclaw\...) rather than using user-expandable paths (~ / os.path.expanduser). This is unexpected and reduces portability; it may cause the tool to operate on the author's paths if run in certain environments.
[network-call-clawhub] expected: The script calls https://clawhub.com/api/v1/skill/{slug} to fetch remote versions for SkillHub sources. This matches the 'check' functionality.
[subprocess-run-git-skillhub] expected: The script uses subprocess.run to execute 'git pull' and 'skillhub install', which is expected for update/install operations.
[filesystem-scan-configs] expected: The uninstall/residual-scan routines recursively search for config/.env/.yaml files, caches, tmp files and openclaw.json references. This is aligned with the advertised 'thorough uninstall' but touches sensitive files and should be run with care (dry-run recommended).
What to consider before installing
This skill implements the advertised management features, but before installing or running it you should: (1) inspect scripts/skill_manage.py, especially the uninstall/remove code; (2) note the script currently uses hard-coded Windows paths (C:\Users\andy8\...) — update it to use os.path.expanduser('~') or your actual OpenClaw paths so it operates on your environment; (3) run 'check' and 'list' / use the uninstall --dry-run option before allowing deletions; (4) verify network calls (ClawHub only) and confirm you trust the author; (5) if you plan to run automated updates/uninstalls, run inside a sandbox or with backups until you confirm behavior. If you want, I can point out the exact lines to change to make paths portable and show where deletion happens.
