ClawHub
Back to skill
v1.3.0

skill-forge

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:19 AM.

Analysis

Skill Forge is mostly a skill-building helper, but its dependency-management code can run shell and package-manager commands from skill metadata without validation.

GuidanceReview scripts/skill-creator.js before use. Avoid running check or install-deps on skills you did not create until dependency names are validated safely, and inspect any _meta.json dependency list manually before allowing package installs. Enable the OpenClaw hook only if you want periodic session reminders.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
scripts/skill-creator.js
meta.requires.bins.forEach(bin => { ... checkDependency(bin) ... }); ... execSync(`which ${dependency}`, { stdio: 'ignore' });

Dependency names are read from the target skill's _meta.json and interpolated into a shell command, so crafted metadata could execute unexpected shell syntax when a user runs a normal quality check.

User impactChecking an untrusted or malformed skill could run commands on the user's machine instead of only validating files.
RecommendationUse execFile/spawn with argument arrays, reject shell metacharacters, allowlist dependency-name formats, and treat dependency metadata from other skills as untrusted.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/skill-creator.js
execSync(`winget install ${dependency}`, { stdio: 'ignore' }); ... execSync(`sudo apt-get install -y ${dependency}`, { stdio: 'ignore' });

The install-deps path can invoke system package managers, including sudo apt-get with -y, using dependency values taken from skill metadata without an allowlist or per-package confirmation.

User impactA dependency install workflow could install unintended packages or run shell-injected commands, changing the local system.
RecommendationRequire explicit user confirmation for each package, show the exact command before running it, avoid sudo automation where possible, and validate package names before invoking package managers.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; Required binaries: none; No install spec — this is an instruction-only skill; Code file presence: 2 code file(s)

The registry metadata under-declares runnable components and provenance while the artifacts include JavaScript code and documented Node-based usage.

User impactUsers may not realize they are expected to run local JavaScript or install an OpenClaw hook, and the source provenance is not clear from the metadata.
RecommendationDeclare Node as a required binary if the script is intended to run, document the install mechanism, and provide a verifiable source or homepage.
Rogue Agents
SeverityLowConfidenceHighStatusNote
hooks/openclaw/handler.js
setInterval(() => { console.log(REMINDERS.postToolUse); }, REMINDER_INTERVAL * 60 * 1000);

The OpenClaw hook schedules recurring reminders during sessions, which is disclosed but still creates ongoing behavior once the hook is enabled.

User impactIf enabled, the hook can continue adding reminder messages to sessions until disabled.
RecommendationEnable the hook only if the reminders are desired, and document clear disable instructions and the exact events where the hook runs.