Qclaw Skill Creator
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: qclaw-skill-creator Version: 1.0.0 The skill bundle is a meta-tool designed to help an AI agent create, validate, and package other skills. It includes utility scripts (init_skill.py, package_skill.py, and quick_validate.py) that automate directory scaffolding and ZIP packaging, alongside documentation (SKILL.md, workflows.md) that provides structural guidance. The instructions and code logic are consistent with the stated purpose of skill development and do not exhibit signs of malicious intent, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user cannot easily verify the scripts against an upstream project before running them.
The skill includes executable helper scripts but does not provide an upstream source or homepage for provenance verification. This is not malicious by itself, but users have less external context for the bundled code.
Source: unknown; Homepage: none ... Code file presence: 3 code file(s): scripts/init_skill.py, scripts/package_skill.py, scripts/quick_validate.py
Review the bundled scripts directly and install only from a trusted publisher or registry source.
If a skill folder accidentally contains private files, they could be included in the local .skill package and later shared by the user.
The packager recursively includes every file under the selected skill folder. That is expected for packaging, but there is no exclusion list for hidden files, secrets, or temporary files.
for file_path in skill_path.rglob('*'):
if file_path.is_file():
... zipf.write(file_path, arcname)Inspect the skill directory and generated .skill archive before distributing it, and avoid keeping credentials, .env files, or private notes inside skill folders.