Skill Combo Recommender
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a coherent skill-combination recommender, with the main cautions being its local installer and downstream workflows that may publish content or manage proxies.
This skill appears reasonable for recommending skill combinations. Before installing, review the included installer because it writes into the OpenClaw skills directory and may create a CLI symlink. When using the recommendations, double-check any suggested downstream skill that publishes content, schedules posts, manages proxies, or changes files/accounts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user or agent follows these recommendations without review, it could publish or schedule social content or configure proxy/multi-account tooling.
The preset workflow recommends downstream proxy-management and social scheduling/publishing tools. This fits the recommender purpose, but those downstream actions can affect public accounts or platform behavior if executed.
推荐技能:xiaohongshu-content + xiaohongshu-image-gen + xiaohongshu-proxy-manager + social-media-scheduler ... 工作流程:内容创作 → 图片生成 → 发布排期
Use the output as a recommendation only; require explicit user confirmation before running downstream publishing, scheduling, proxy, or account-management tools.
Users may expect a purely instruction-only skill but receive a package with executable local files and an installer.
The registry summary under-declares the package’s actual local runtime/install artifacts, since skill.json declares a Python entry and install.sh is included. This appears to be a packaging mismatch rather than hidden behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Before manual installation, inspect the included skill.json and install.sh so the local Python entry point and install behavior are understood.
Running the installer can overwrite a previous copy of this skill and add a command in the user’s local bin directory.
The installer replaces any existing same-named skill directory, copies files into the OpenClaw skills directory, and may create a persistent CLI symlink. This is normal installer behavior but is still a local filesystem change.
rm -rf "$OPENCLAW_SKILLS_DIR/$SKILL_NAME" ... cp -r "$SKILL_DIR" "$OPENCLAW_SKILLS_DIR/$SKILL_NAME" ... ln -sf "$OPENCLAW_SKILLS_DIR/$SKILL_NAME/source/skill_combo_recommender.py" "$HOME/.local/bin/skill-combo-recommender"
Run the installer only from a trusted copy of the package and back up or review any existing skill-combo-recommender directory before reinstalling.