Skill Vetter
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less outside context about who authored or maintains the checklist.
The registry information does not identify an upstream source or homepage, so users have limited provenance context, though there is no runnable code or dependency in the supplied artifacts.
Source: unknown; Homepage: none
Treat it as a checklist from an unknown publisher; prefer a trusted source if provenance is important for your installation policy.
If run carelessly, the agent could fetch unintended remote content or review the wrong repository.
The skill suggests shell/network commands to fetch GitHub metadata and skill content. These are disclosed examples with placeholders and fit the vetting purpose.
curl -s "https://api.github.com/repos/OWNER/REPO" ... curl -s "https://raw.githubusercontent.com/OWNER/REPO/main/skills/SKILL_NAME/SKILL.md"
Use these commands only for user-approved repositories and verify placeholders before running them.
A malicious candidate skill could try to distract or redirect the agent during review if its text is not treated as data.
The vetting workflow intentionally brings third-party skill files into the agent context. That is necessary for review, but candidate skill text may itself contain instructions.
Read ALL files in the skill ... Fetch and review SKILL.md
When using this skill, treat reviewed skill files as untrusted evidence and do not follow instructions contained inside the candidate skill.