Qclaw Skill Creator
PassAudited by ClawScan on May 9, 2026.
Overview
This appears to be a legitimate skill-authoring guide with optional local helper scripts; the main caution is to inspect packaged skill contents before sharing them.
This skill is reasonable to install if you want help creating OpenClaw skills. If you run its helper scripts, use a deliberate local skills path, review generated files, and inspect packaged .skill archives before sharing them. No evidence of purchase activity, credential use, network exfiltration, or background autonomous behavior was found.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user cannot easily verify the scripts against an upstream project before running them.
The skill includes executable helper scripts but does not provide an upstream source or homepage for provenance verification. This is not malicious by itself, but users have less external context for the bundled code.
Source: unknown; Homepage: none ... Code file presence: 3 code file(s): scripts/init_skill.py, scripts/package_skill.py, scripts/quick_validate.py
Review the bundled scripts directly and install only from a trusted publisher or registry source.
If a skill folder accidentally contains private files, they could be included in the local .skill package and later shared by the user.
The packager recursively includes every file under the selected skill folder. That is expected for packaging, but there is no exclusion list for hidden files, secrets, or temporary files.
for file_path in skill_path.rglob('*'):
if file_path.is_file():
... zipf.write(file_path, arcname)Inspect the skill directory and generated .skill archive before distributing it, and avoid keeping credentials, .env files, or private notes inside skill folders.