ClawHub
Back to skill
v1.0.2

Skill Recommender Pro

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:06 AM.

Analysis

This skill appears to do what it says: it lists installed OpenClaw skills and searches for related skills to recommend, without evidence of hidden data theft, persistence, or account mutation.

GuidanceThis looks safe for normal use as a recommendation helper. It will inspect your installed OpenClaw skills and may search the skill registry, so treat its output as advice rather than approval and review any suggested skill before installing it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
clawhub list 2>/dev/null || echo "No skills installed" ... subprocess.run(["clawhub", "list"], capture_output=True, text=True, timeout=10)

The skill directs the agent to run local CLI/Python commands to enumerate installed skills. This is coherent with recommendation generation, but users should notice that it inspects the local OpenClaw setup.

User impactThe agent may read the list of installed skills and use that information to personalize recommendations.
RecommendationUse it when you are comfortable sharing your installed-skill inventory with the active agent session, and review any recommendation before installing additional skills.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The skill has limited provenance information, though it also has no install script or bundled executable code in the provided artifacts.

User impactThere is less publisher/source context to help judge trust, but the reviewed artifacts do not show hidden dependencies or remote install code.
RecommendationPrefer installing from trusted publishers when possible, and keep review focused on the visible SKILL.md instructions before use.