ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SkillForge

v1.0.4

Generate and audit OpenClaw agent skills from natural language. Use when the operator asks to create a skill, build a skill, generate a skill, audit a skill,...

0· 87·0 current·0 all-time
by@shadoprizm

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for shadoprizm/skillforge-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SkillForge" (shadoprizm/skillforge-cli) from ClawHub.
Skill page: https://clawhub.ai/shadoprizm/skillforge-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skillforge-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install skillforge-cli
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate & audit skills) align with the instructions in SKILL.md. However, SKILL.md expects npm and the ClawHub CLI (clawhub login/publish) to be available, while the registry metadata says 'Required binaries: none'—this is an inconsistency. skill.json points to a GitHub repo as the source, but the registry-level 'Homepage: none' contradicts that.
Instruction Scope
The runtime instructions stay within the stated purpose: run the SkillForge CLI to generate/audit skill directories and (when --pro is used) send skill contents to the user-selected AI provider. The SKILL.md explicitly warns not to audit directories containing secrets. It does not instruct the agent to read unrelated files, hidden system paths, or undisclosed environment variables.
!
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md instructs users to run npm install -g @shadoprizm/skillforge. Installing a third-party global npm package runs arbitrary code on the host — this is expected for a CLI but increases risk and should be validated by inspecting the package and its GitHub source. No direct install URL or extract-from-unknown-host behavior is present, which is good, but the absence of an install spec in registry metadata plus contradictory homepage information is a minor red flag.
Credentials
No required env vars are declared at the registry level, and the skill.json sensibly lists several optional API keys (ZAI_API_KEY, OPENAI_API_KEY, OPENROUTER_API_KEY, QWEN_API_KEY) needed only for Pro features — this is proportionate. However, skill.json states keys are stored locally under ~/.skillforge using the 'conf' package and describes storage inconsistently (calls it both encrypted and plaintext-like). Storing API keys locally in cleartext (or in a location with bash-like permissions) is sensitive and should be considered before use.
Persistence & Privilege
The skill does not request always:true, does not declare system config path access, and does not attempt to modify other skills. It uses normal autonomous invocation defaults. No elevated persistence or cross-skill config changes are requested.
What to consider before installing
Before installing or running this skill, verify the upstream npm package and GitHub repository (https://github.com/shadoprizm/skillforge) yourself: inspect the package source, release history, and maintainer. Do not run --pro or audit commands against directories containing secrets, private keys, or production API keys — the tool will send skill contents to whichever AI provider you configure. Consider using an ephemeral/test API key for Pro mode, and confirm how keys are stored (the SKILL.md/skill.json indicate keys are saved under ~/.skillforge via 'conf', which may be plaintext). Also note the registry metadata omission: SKILL.md expects npm and clawhub CLI presence even though 'Required binaries' is empty; ensure you have and trust those tools before proceeding.

Like a lobster shell, security has layers — review code before you run it.

auditorvk97a9c7gsd2a60tnzraqrcy77n83z2v9generatorvk97a9c7gsd2a60tnzraqrcy77n83z2v9latestvk97a9c7gsd2a60tnzraqrcy77n83z2v9qualityvk97a9c7gsd2a60tnzraqrcy77n83z2v9skillforgevk97a9c7gsd2a60tnzraqrcy77n83z2v9skillsvk97a9c7gsd2a60tnzraqrcy77n83z2v9
87downloads
0stars
5versions
Updated 3w ago
v1.0.4
MIT-0
@shadoprizm
auditorgeneratorlatestqualityskillforgeskills
Download

SkillForge — Skill Generator & Auditor

Generate complete, publish-ready OpenClaw agent skills from natural language descriptions. Audit existing skills for quality, safety, and completeness.

Prerequisites

SkillForge CLI must be installed globally:

npm install -g @shadoprizm/skillforge@latest

Check version: skillforge --version (requires 0.3.2+)

Commands

Generate a Skill

Free tier (template scaffold, no API key):

skillforge "<description>" --output <path> --lang <typescript|javascript|python>

Pro tier (AI-powered, requires API key):

skillforge "<description>" --pro --output <path> --lang <typescript|javascript|python>

Audit a Skill

skillforge audit <path> --format <table|json|markdown>

Pro audit with AI analysis:

skillforge audit <path> --pro --format markdown

Publish to ClawHub

First-time auth:

clawhub login

Then publish:

skillforge "<description>" --output <path> --publish

Or publish an existing skill:

clawhub publish <path> --slug <slug> --name "<name>" --version <semver>

Workflow

When asked to create/generate a skill:

  1. Clarify the skill purpose if the description is vague
  2. Run skillforge "<description>" --pro --output /tmp/skillforge-gen --lang typescript
  3. Read the generated files to verify quality
  4. Run skillforge audit /tmp/skillforge-gen --pro to score it
  5. If score is B+ or above, offer to publish to ClawHub
  6. If score is below B+, improve the SKILL.md and scripts manually, then re-audit
  7. On operator approval, publish: clawhub publish /tmp/skillforge-gen --slug <slug> --name "<name>" --version 1.0.0

When asked to audit a skill:

  1. Run skillforge audit <path> --pro --format markdown
  2. Present the report to the operator
  3. Offer specific fixes for any issues found
  4. Re-audit after fixes

API Key Configuration

SkillForge Pro uses the operator's own API key (BYOK model). Supported providers:

Env VariableProvider
ZAI_API_KEYZ.AI (GLM-5)
OPENAI_API_KEYOpenAI
OPENROUTER_API_KEYOpenRouter
QWEN_API_KEYQwen

Keys can also be stored via: skillforge config:set-api-key <key>

Audit Categories

CategoryWeightWhat It Checks
Structure20%SKILL.md, skill.json, file organization
Completeness25%Required sections, fields, tags
Quality25%Description depth, workflow detail, examples
Safety20%Dangerous patterns, hardcoded secrets
Compatibility10%Category validity, tool references

Constraints

  • Always use --pro when an API key is available for best quality
  • WARNING: Pro mode sends skill contents to your chosen AI provider. Do not audit directories containing secrets, .env files, private keys, or credentials. Point audits only at skill directories.
  • Verify generated skills actually work before publishing
  • Never publish without operator approval
  • Use --format json for CI/CD contexts, --format table for chat
  • Slug must be unique on ClawHub — if taken, try variations
  • Never pass production API keys to untrusted skill content for auditing

Comments

Loading comments...