Cowhorse Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent workflow-building skill with no hidden exfiltration or destructive behavior, but it can guide the agent to create/test skill files and update memory.
This skill appears safe for its stated purpose. Before using it, be aware that it is meant to create persistent skill files, optionally generate scripts, test them, package the result, and update MEMORY.md. Review generated code, file paths, and memory entries before approving execution or installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated workflow code could modify local files or perform system actions depending on the user's requested workflow.
The skill may guide the agent to create automation scripts and shell scripts. This is central to building workflow skills, but generated scripts can affect files or systems if run without review.
Add scripts if automation is needed: - Python scripts for data processing, file operations, etc. - Shell scripts for system commands
Review any generated script and confirm the intended file paths and actions before allowing execution.
A sample run could execute newly generated code or touch sample files in the workspace.
The workflow includes running a sample execution of the generated skill. This is expected for validation, but it is still code/tool execution and should stay user-approved.
Test the skill - Run a sample execution if possible
Only test generated skills with safe sample inputs and confirm what will be run first.
The behavior of skill creation and packaging also depends on the local skill-creator tooling.
The skill depends on external skill-creator helper scripts that are referenced but not included here. That is understandable for a skill-builder, but users should know those helpers are part of the execution path.
Create skill directory using `scripts/init_skill.py` from skill-creator ... Package the skill using `scripts/package_skill.py` from skill-creator
Use a trusted local copy of skill-creator and review the generated files before packaging or installing them.
Details about the created skill may remain available to the agent in later sessions.
The skill explicitly writes persistent memory about the new skill. This is disclosed and aligned with finalizing reusable skills, but persistent memory can influence future agent behavior.
Update MEMORY.md with the new skill info
Avoid putting secrets or unnecessary sensitive project details into the memory entry, and review MEMORY.md after finalization.