Skill Recommender Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says: it lists installed OpenClaw skills and searches for related skills to recommend, without evidence of hidden data theft, persistence, or account mutation.
This looks safe for normal use as a recommendation helper. It will inspect your installed OpenClaw skills and may search the skill registry, so treat its output as advice rather than approval and review any suggested skill before installing it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read the list of installed skills and use that information to personalize recommendations.
The skill directs the agent to run local CLI/Python commands to enumerate installed skills. This is coherent with recommendation generation, but users should notice that it inspects the local OpenClaw setup.
clawhub list 2>/dev/null || echo "No skills installed" ... subprocess.run(["clawhub", "list"], capture_output=True, text=True, timeout=10)
Use it when you are comfortable sharing your installed-skill inventory with the active agent session, and review any recommendation before installing additional skills.
There is less publisher/source context to help judge trust, but the reviewed artifacts do not show hidden dependencies or remote install code.
The skill has limited provenance information, though it also has no install script or bundled executable code in the provided artifacts.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Prefer installing from trusted publishers when possible, and keep review focused on the visible SKILL.md instructions before use.