ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill assessment

v1.2.0

Evaluate OpenClaw skills with lightweight static analysis across documentation completeness, code quality, configuration friendliness, and maintenance signal...

0· 45·0 current·0 all-time
by@stavc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a CLI tool (commands like `skill-assess ...`) and presents the skill as an assessment tool, but the package contains no code, no install spec, no binaries, and no homepage or source link. It's unclear whether the described tool is expected to be preinstalled by the environment or supplied elsewhere — this mismatch reduces trust and usability.
Instruction Scope
The runtime instructions are narrowly scoped: they describe running a local assessment tool against local skill directories and producing reports. They do not instruct reading unrelated system files, accessing external endpoints, or exfiltrating secrets.
Install Mechanism
There is no install specification (instruction-only). That lowers immediate risk because nothing is written to disk by the skill itself, but it also means the skill is nonfunctional unless an external `skill-assess` binary exists. The lack of source/homepage or guidance on where to obtain the binary is a usability and provenance concern.
Credentials
The skill requests no environment variables, credentials, or config paths. The absence of secret requirements is proportionate to the described local-assessment purpose.
Persistence & Privilege
The skill does not request permanent presence (always:false) and has no install actions or configuration changes. It does not request elevated privileges or modify other skills' configs.
Scan Findings in Context
[no_code_files_detected] unexpected: The regex scanner found no code files or install scripts. For a skill that describes a CLI tool, this is unexpected unless the environment already provides the tool or the skill is intentionally documentation-only. The absence of implementation reduces trust; verify provenance of the referenced `skill-assess` command.
What to consider before installing
This package is essentially documentation describing a CLI called `skill-assess` but it contains no code or install instructions and gives no source or homepage — treat it as a wrapper/README, not a working tool. Before installing or relying on it: (1) ask the publisher where the `skill-assess` binary comes from and obtain it from a trusted source (homepage or repository); (2) avoid running unknown binaries you download from unverified locations; (3) if you expected this skill to install the tool, request an install spec or source code from the author; (4) because it requests no secrets and contains no install steps, it is low immediate risk, but its usefulness is limited until you verify the external CLI's provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk970ad2jr9g3ztyqgnk9z4njhx83x0bz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments