ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skillcraft

v1.0.0

Design and build OpenClaw skills. Use when asked to "make/build/craft a skill", extract ad-hoc functionality into a skill, or package scripts/instructions for reuse. Covers OpenClaw-specific integration (tool calling, memory, message routing, cron, canvas, nodes) and ClawHub publishing.

7· 3k·16 current·16 all-time
by@jmz1
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (skill designer for OpenClaw) matches the content: the SKILL.md and pattern files are templates and guidance for packaging skills, routing, cron, memory, and publishing. No unrelated binaries, env vars, or install steps are requested.
Instruction Scope
The runtime instructions tell the agent to inspect available skills, workspace files, and to place state under `{baseDir}`/`<workspace>`. This is expected for a skill-authoring guide, but it means the agent will read other skills and workspace files when following these instructions — review those reads if you have sensitive data in workspace files or other skill bodies.
Install Mechanism
No install spec and no code files — instruction-only. This is the lowest-risk install profile (nothing is downloaded or written by an installer).
Credentials
The skill declares no required environment variables or credentials. It does provide guidance for how skill authors should *store* secrets (env vars, keychain, 1Password CLI), which is advisory and not a request for secrets from the runner.
Persistence & Privilege
always:false and no config paths requested. The skill recommends locations for skill-local state files but does not request global agent configuration changes or persistent privileges.
Assessment
This skill is an authoring guide and is internally consistent. Because it instructs agents to read other skills and workspace files, review any workspace content and other skills for sensitive data before using it to auto-extract or package code. The skill itself asks for no credentials and performs no installs, but be cautious if you follow its guidance to add state files or to request environment variables later when authoring new skills — never hardcode secrets into SKILL.md or published skill files, and review any resulting SKILL.md or install steps before publishing or installing. If you do not want agents to autonomously create/publish skills, consider controlling invocation or review outputs manually.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧶 Clawdis
latestvk97d9eqjnx17ct3kvacgsyp60180whvv
3kdownloads
7stars
3versions
Updated 1h ago
v1.0.0
MIT-0
@jmz1
latest
Download

Skillcraft — OpenClaw Skill Designer

An opinionated guide for creating OpenClaw skills. Focuses on OpenClaw-specific integration — message routing, cron scheduling, memory persistence, channel formatting, frontmatter gating — not generic programming advice.

Docs: https://docs.openclaw.ai/tools/skills · https://docs.openclaw.ai/tools/creating-skills

Model Notes

This skill is written for frontier-class models (Opus, Sonnet). If you're running a cheaper model and find a stage underspecified, expand it yourself — the design sequence is a scaffold, not a script. Cheaper models should:

  • Read the pattern files in {baseDir}/patterns/ more carefully before architecting
  • Spend more time on Stage 2 (capability discovery) — enumerate OpenClaw features explicitly
  • Be more methodical in Stage 4 (spec) — write out the full structure before implementing
  • Consult https://docs.openclaw.ai when unsure about any OpenClaw feature

The Design Sequence

Stage 0: Inventory (Extraction Only)

Skip if building from scratch. Use when packaging existing functionality (scripts, TOOLS.md sections, conversation patterns, repeated instructions) into a skill.

Gather what exists, where it lives, what works, what's fragile. Then proceed to Stage 1.

Stage 1: Problem Understanding

Work through with the user:

  1. What does this skill do? (one sentence)
  2. When should it load? Example phrases, mid-task triggers, scheduled triggers
  3. What does success look like? Concrete outcomes per example

Stage 2: Capability Discovery

Generalisability

Ask early: Is this for your setup, or should it work on any OpenClaw instance?

ChoiceImplications
UniversalGeneric paths, no local assumptions, ClawHub-ready
ParticularCan reference local skills, tools, workspace config

Skill Synergy (Particular Only)

Scan <available_skills> from the system prompt for complementary capabilities. Read promising skills to understand composition opportunities.

OpenClaw Features

Review the docs with the skill's needs in mind. Think compositionally — OpenClaw's primitives combine in powerful ways. Key docs to check:

NeedDoc
Messages/concepts/messages
Cron/scheduling/automation/cron-jobs
Subagents/tools/subagents
Browser/tools/browser
Canvas UI/tools/ (canvas)
Node devices/nodes/
Slash commands/tools/slash-commands

See {baseDir}/patterns/composable-examples.md for inspiration on combining these.

Stage 3: Architecture

Based on Stages 1–2, identify which patterns apply:

If the skill...Pattern
Wraps a CLI tool{baseDir}/patterns/cli-wrapper.md
Wraps a web API{baseDir}/patterns/api-wrapper.md
Monitors and notifies{baseDir}/patterns/monitor.md

Load all that apply and synthesise. Most skills combine patterns.

Script vs. instructions split: Scripts handle deterministic mechanics (API calls, data gathering, file processing). SKILL.md instructions handle judgment (interpreting results, choosing approaches, composing output). The boundary is: could a less intelligent system do this reliably? If yes → script.

Stage 4: Design Specification

Present proposed architecture for user review:

  1. Skill structure — files and directories
  2. SKILL.md outline — sections and key content
  3. Components — scripts, modules, wrappers
  4. State — stateless, session-stateful, or persistent (and where it lives)
  5. OpenClaw integration — which features, how they interact
  6. Secrets — env vars, keychain, config file (document in setup section, never hardcode)

State locations:

  • <workspace>/memory/ — user-facing context
  • {baseDir}/state.json — skill-internal state (travels with skill)
  • <workspace>/state/<skill>.json — skill state in common workspace area

If extracting: include migration notes (what moves, what workspace files need updating).

Validate: Does it handle all Stage 1 examples? Any contradictions? Edge cases?

Iterate until the user is satisfied. This is where design problems surface cheaply.

Stage 5: Implementation

Default: same-session. Work through the spec with user review at each step. Reserve subagent handoff for complex script subcomponents only — SKILL.md and integration logic stay in the main session.

  1. Create skill directory + SKILL.md skeleton (frontmatter + sections)
  2. Scripts (if any) — get them working and tested
  3. SKILL.md body — complete instructions
  4. Test against Stage 1 examples

If extracting: update workspace files, clean up old locations, verify standalone operation.

Crafting the Frontmatter

The frontmatter determines discoverability and gating. Format follows the AgentSkills spec with OpenClaw extensions.

---
name: my-skill
description: [description optimised for discovery — see below]
homepage: https://github.com/user/repo  # optional
metadata: {"openclaw":{"emoji":"🔧","requires":{"bins":["tool"],"env":["API_KEY"]},"primaryEnv":"API_KEY","install":[...]}}
---

Critical: metadata must be a single-line JSON object (parser limitation).

Description — Write for Discovery

The description determines whether the skill gets loaded. Include:

  • Core capability — what it does
  • Trigger keywords — terms users would say
  • Contexts — situations where it applies

Test: would the agent select this skill for each of your Stage 1 example phrases?

Frontmatter Keys

KeyPurpose
nameSkill identifier (required)
descriptionDiscovery text (required)
homepageURL for docs/repo
user-invocabletrue/false — expose as slash command (default: true)
disable-model-invocationtrue/false — exclude from model prompt (default: false)
command-dispatchtool — bypass model, dispatch directly to a tool
command-toolTool name for direct dispatch
command-arg-moderaw — forward raw args to tool

Metadata Gating

OpenClaw filters skills at load time using metadata.openclaw:

FieldEffect
always: trueSkip all gates, always load
emojiDisplay in macOS Skills UI
osPlatform filter (darwin, linux, win32)
requires.binsAll must exist on PATH
requires.anyBinsAt least one must exist
requires.envEnv var must exist or be in config
requires.configConfig paths must be truthy
primaryEnvMaps to skills.entries.<name>.apiKey
installInstaller specs for auto-setup (brew/node/go/uv/download)

Sandbox note: requires.bins checks the host at load time. If sandboxed, the binary must also exist inside the container.

Token Budget

Each eligible skill adds ~97 chars + name + description + location path to the system prompt. Keep descriptions informative but not bloated — every character costs tokens on every turn.

Install Specs

"install": [
  {"id": "brew", "kind": "brew", "formula": "tap/tool", "bins": ["tool"], "label": "Install via brew"},
  {"id": "npm", "kind": "node", "package": "tool", "bins": ["tool"]},
  {"id": "uv", "kind": "uv", "package": "tool", "bins": ["tool"]},
  {"id": "go", "kind": "go", "package": "github.com/user/tool@latest", "bins": ["tool"]},
  {"id": "dl", "kind": "download", "url": "https://...", "archive": "tar.gz"}
]

Path Conventions

TokenMeaning
{baseDir}This skill's directory (OpenClaw resolves at runtime)
<workspace>/Agent's workspace root
  • Use {baseDir} for skill-internal references (scripts, state, patterns)
  • Use <workspace>/ for workspace files (TOOLS.md, memory/, etc.)
  • Never hardcode absolute paths — workspaces are portable
  • For subagent scenarios, include path context in the task description (sandbox mounts differ)

References

Comments

Loading comments...