ClawHub
Back to skill
v0.1.0

Skill Dependency Resolver

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:36 AM.

Analysis

This skill appears to do what it says—merge Python requirement files locally—but users should review the generated file and the CLI installer changes.

GuidanceThis skill is reasonable to install if you need local requirements-file merging. Before using it, confirm that the installer’s PATH changes are acceptable, run it on trusted skill directories, and inspect the generated requirements file before passing it to pip because automatic conflict resolution may choose versions that do not work for every skill.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
source/resolver.py
req_file = skill_dir / "requirements.txt" ... self.output_file.write_text('\n'.join(lines) + '\n', encoding='utf-8')

The resolver reads dependency files from each skill directory and writes a merged requirements file; this is core to its purpose but is still a local filesystem mutation.

User impactIt can overwrite the selected output file, and the generated dependency list may later affect the user's Python environment if installed.
RecommendationRun it on trusted skill directories, choose the output path deliberately, and review the merged requirements file before installing it.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
install.sh
ln -s "${CLI_SCRIPT}" "${CLI_PATH}"
chmod +x "${CLI_SCRIPT}"

The installer adds a persistent CLI symlink under ~/.local/bin. No downloads or package installs are shown, but it does modify the user's executable path.

User impactInstalling the skill places a command in the user's PATH and backs up any existing command at the same path.
RecommendationInspect the installer before running it and confirm that the ~/.local/bin command changes are acceptable.