Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
skill-creater
v1.0.0Generate complete AgentSkills from user requirements. Creates SKILL.md, scripts, references, assets folders, and packages them into a ready-to-upload archive...
⭐ 0· 84·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to 'interview' users, generate complete SKILL.md, scripts, references, and package into a zip. The repository contains generator and packager scripts that implement name/manifest generation and zipping, which aligns with the stated purpose. However the claimed interactive interview and some 'automatic assurances' are not implemented in the provided scripts; overall capability is plausible but overstated.
Instruction Scope
SKILL.md describes an automated interview flow and many guarantees (YAML compliance, progressive disclosure). The code (init_skill_template.py) is a simple CLI that accepts a single description argument — it does not implement an interactive interview or advanced validation. The packager validates only basic frontmatter existence and a few manifest fields. The instructions therefore promise more automation and validation than the code provides.
Install Mechanism
No install spec; this is an instruction-and-code skill only. There are no external downloads, no network installs, and no injected third-party packages referenced. Packaging and file I/O are local.
Credentials
The skill requests no environment variables, no credentials, and references no external secrets. The code only reads/writes local filesystem paths and manifest/SKILL.md files, which is consistent with the purpose.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system-wide settings. It runs local file operations only and is not configured for forced inclusion.
What to consider before installing
This package appears to be a developer utility but has several red flags that point to sloppy or incomplete implementation rather than clear malicious intent. Things to do before trusting or using it:
- Inspect and run the Python scripts locally in a safe environment (sandbox/VM) and review output ZIP contents before uploading anywhere.
- Note naming/path inconsistencies: SKILL.md and manifest mention 'skill-creater' but build.sh and some human-facing text say 'skill-craftsmen'/'skill-craftsmen' and build.sh calls scripts/package_skill.py while package_skill.py is at repository root. This likely indicates broken scripts or copy-paste errors you should fix before use.
- Expect the 'interview' capability to be manual: init_skill_template.py currently only accepts a single CLI argument (no interactive Q&A). If you need interactive prompting, add or review that logic yourself.
- Validate generated SKILL.md and manifest.json contents before uploading to Clawhub; the packager's validation is minimal.
- Because the package writes files and zips directories, do not run it on directories containing sensitive files (or run it with a dedicated temp folder) to avoid accidental inclusion.
- If you plan to let an autonomous agent invoke this skill, consider restricting autonomous invocation until you've verified the generated outputs are safe and correct.
If you want, I can: (1) point out exact lines to change to fix build.sh path/name mismatches, (2) show a short test plan to validate the packager locally, or (3) produce a hardened checklist for reviewing generated skills before upload.Like a lobster shell, security has layers — review code before you run it.
latestvk973zdsaxnwh8x5azvtkcra6j183f1vn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.