Skill Provenance
v4.9.0Version tracking for Agent Skills bundles and their associated files across sessions, surfaces, and platforms. Use when creating, editing, versioning, valida...
⭐ 0· 398·1 current·1 all-time
bySam Rogers@snapsynapse
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (version tracking, manifest, changelog, packaging) match the provided artifacts: SKILL.md, MANIFEST.yaml, CHANGELOG.md, evals, and two shell helpers (package.sh and validate.sh) that implement packaging and hash verification. Nothing requested or included is out of scope for a provenance/packaging tool.
Instruction Scope
SKILL.md instructs the agent to inventory, add version headers where appropriate, create/maintain MANIFEST.yaml and CHANGELOG.md, and package derived copies. These actions require read/write access to the bundle files and the scripts likewise operate on bundle files; that is expected. There are no instructions to read unrelated system files, secrets, or phone-home endpoints.
Install Mechanism
No install spec or remote downloads are present; this is instruction-only with local, zero-dependency shell helpers. No archive downloads, URL-based installs, or external package pulls are used.
Credentials
The skill declares no required environment variables, credentials, or external config paths. The included scripts rely only on common local utilities (shasum/sha256sum, awk, cp, mktemp) consistent with their purpose.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. However, the runtime model and helper scripts intentionally read and modify bundle files (they can rewrite SKILL.md in derived copies and update MANIFEST.yaml when hashes change). This is expected behavior for packaging/validation but means you should permit the agent to edit only bundles you trust or work on a copy.
Assessment
This bundle appears coherent and low-risk: it only operates on local bundle files, performs SHA-256 checks, and creates derived install copies. Before using: (1) review package.sh and validate.sh (they will copy and may rewrite MANIFEST.yaml and derived SKILL.md), (2) run validate.sh in verify mode first (no --update) to see mismatches, (3) operate on a local copy or backup the bundle before allowing automatic updates, and (4) avoid running these scripts against untrusted bundles unless you inspect those bundles first. The skill does not request credentials or perform network calls.Like a lobster shell, security has layers — review code before you run it.
latestvk975hy3cz9ccw5b7rg9vrth33984e4ff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.