IQ Skill
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: iq Version: 1.0.0 The 'iq' skill bundle is a well-structured tool for generating IQ tests, brain teasers, and interactive puzzles. Analysis of the Python scripts (iq_test_generator.py, daily_challenge.py, brain_games.py) and the HTML template (iq_test_template.html) reveals no evidence of data exfiltration, malicious execution, or unauthorized system access. The instructions in SKILL.md are strictly aligned with the stated purpose of content generation and do not contain any prompt-injection attempts or hidden malicious directives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Opening a generated quiz is expected to run browser JavaScript; unsafe custom content could potentially change what that page does.
The HTML template intentionally runs client-side JavaScript and uses placeholders that will be replaced with generated quiz content. If untrusted custom content is inserted without proper JSON/HTML escaping, the resulting local HTML could run unexpected script.
<h1>{{TEST_TITLE}}</h1> ... <script> const questions = {{QUESTIONS_JSON}};Only embed trusted quiz content, escape titles/questions/options correctly, and review generated HTML before opening or sharing it.
If the agent is asked to save output to the wrong location, it could overwrite a local file.
The script can write generated challenge output to a user-supplied file path. This is purpose-aligned, but the path is not constrained in the visible code.
parser.add_argument("--output", help="Output file path (optional)") ... with open(args.output, "w", encoding="utf-8") as f:Use a dedicated output folder and confirm file paths before saving generated puzzles or quizzes.
Users have less external context for who authored or maintains the skill.
The registry metadata does not provide a source repository or homepage, which limits provenance assurance. The artifacts themselves do not show remote install scripts, unpinned packages, or hidden dependencies.
Source: unknown; Homepage: none
Prefer skills with clear provenance when possible, or inspect the included files before relying on them.