Adaptive Agent: Skill Review
v1.0.0Review all skills for staleness, missing gotchas, and improvement opportunities. Run periodically or after a series of tasks to keep procedural memory accura...
⭐ 1· 57·0 current·0 all-time
byLJ Li@truenorth-lj
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (skill review, detect staleness, add gotchas) aligns with the instructions (inventory, grep, read SKILL.md, propose/patch skills, commit). However the SKILL.md assumes access to git, stat, grep, and the agent's memory and repo layout but the skill metadata lists no required binaries or config paths — a minor inconsistency that should be declared.
Instruction Scope
Instructions explicitly tell the agent to read all skills/*/SKILL.md, check shared/gotchas.md and memory files, run git log, and patch and commit skills. That scope legitimately belongs to a reviewer, but it grants broad read/write access to the skill repository and agent memory and gives the agent discretion to modify files. There are no explicit safeguards (dry-run, confirmation before edits, secret scanning, tests before commit), so this could accidentally expose or corrupt data.
Install Mechanism
Instruction-only skill with no install spec means nothing is written by an installer — lower installation risk. The runtime still expects local tooling (git, grep, stat, bash).
Credentials
The SKILL.md reads unspecified 'memory files' and shared/gotchas.md but the skill declares no environment variables or required config paths. Reading agent memory or other repo files can expose unrelated sensitive data; these accesses are not declared or scoped in the metadata.
Persistence & Privilege
always:false is appropriate, but the skill actively instructs modifying other skills' SKILL.md and committing changes. A skill that can autonomously edit and commit repository files should have explicit safeguards and least privilege; currently it lacks restrictions (confirmation steps, approval gates, test runs), increasing the risk of unwanted persistent changes.
What to consider before installing
This skill is coherent with its stated purpose (reviewing and patching skills) but it asks the agent to read repository files, agent memory, run shell/git commands, and commit changes without declaring required tools or safeguards. Before installing or enabling it, consider:
- Limit runtime scope: restrict which repository paths and memory namespaces the skill may read.
- Require explicit manual confirmation before any edit or commit (no blind autonomous commits).
- Add a dry-run mode that produces suggested patches but does not write files.
- Ensure git and other expected binaries are declared in metadata and available in the runtime.
- Add secret-scanning and automated tests before staging/committing changes.
- Keep logs and require signed commits or a human approve-and-merge workflow.
- If you are uncomfortable with repository writes or memory reads, run this skill in read-only mode or only allow it to produce reports rather than apply changes.
If you want to proceed, ask the skill author to update metadata to declare required binaries and to add explicit safety steps (confirm-before-edit, dry-run, scope-limiting, and secret-scan) so you can trust autonomous or user-invoked runs.Like a lobster shell, security has layers — review code before you run it.
latest
Skill Review
Periodic review of all skills to keep procedural memory accurate and up-to-date.
When to Run
- After completing a batch of tasks across multiple skills
- When you notice a skill has outdated steps or missing context
- Proactively every ~2 weeks as maintenance
Step 1: Inventory
List all skills and their last-modified dates:
for d in skills/*/SKILL.md; do echo "$(stat -f '%Sm' -t '%Y-%m-%d' "$d" 2>/dev/null || date -r "$d" '+%Y-%m-%d') $d"; done | sort -r
Read each SKILL.md briefly (first 30 lines) to understand scope.
Step 2: Cross-Reference with Memory
Check memory files and shared/gotchas.md (if they exist) for lessons that should have flowed into skills but didn't.
For each gotcha or feedback memory:
- Does it relate to a specific skill?
- Is that lesson already captured in the skill's steps or
## Gotchassection? - If not, patch the skill
Step 3: Check for Staleness
For each skill, check:
| Check | How |
|---|---|
| References valid paths? | Grep for file paths mentioned in SKILL.md, verify they exist |
| References valid commands? | Check if CLI tools or scripts mentioned still work |
| Steps still accurate? | Compare with actual workflow from recent git history |
| Gotchas section exists? | If skill has been used multiple times, it should have accumulated lessons |
Step 4: Check for Gaps
Look for recurring multi-step patterns that don't have a skill yet:
git log --oneline -30
If a workflow has been done 3+ times manually, propose creating a skill for it.
Step 5: Consolidate Duplicates
Check for skills with overlapping scope. If two skills cover similar ground, propose merging or clarifying boundaries.
Step 6: Report
Output a summary table:
| Skill | Status | Action Taken |
|-------|--------|-------------|
| /typefully | Updated | Added gotcha about image requirements |
| /codebase | OK | No changes needed |
| /deploy-flow | NEW | Created from repeated manual workflow |
Key Rules
- Read before edit — never patch a skill you haven't read
- Minimal patches — only change what's wrong or missing, don't restructure working skills
- Preserve voice — each skill has its own style; don't homogenize
- Commit after — stage and commit all skill changes with
chore: skill-review — update N skills
Comments
Loading comments...