Skill Vetter
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only security checklist with no code or credential requests; its only notable risks are limited provenance and optional GitHub fetch commands used for vetting.
This skill appears safe to use as a manual vetting checklist. Before installing, note that its publisher provenance is limited, and when applying it to other skills, only fetch user-approved repositories and treat reviewed files as untrusted content rather than executable instructions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less outside context about who authored or maintains the checklist.
The registry information does not identify an upstream source or homepage, so users have limited provenance context, though there is no runnable code or dependency in the supplied artifacts.
Source: unknown; Homepage: none
Treat it as a checklist from an unknown publisher; prefer a trusted source if provenance is important for your installation policy.
If run carelessly, the agent could fetch unintended remote content or review the wrong repository.
The skill suggests shell/network commands to fetch GitHub metadata and skill content. These are disclosed examples with placeholders and fit the vetting purpose.
curl -s "https://api.github.com/repos/OWNER/REPO" ... curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
Use these commands only for user-approved repositories and verify placeholders before running them.
A malicious candidate skill could try to distract or redirect the agent during review if its text is not treated as data.
The vetting workflow intentionally brings third-party skill files into the agent context. That is necessary for review, but candidate skill text may itself contain instructions.
Read ALL files in the skill ... Fetch and review SKILL.md
When using this skill, treat reviewed skill files as untrusted evidence and do not follow instructions contained inside the candidate skill.