skill-net
PassAudited by ClawScan on May 13, 2026.
Overview
skill-net appears to be a benign local analyzer for OpenClaw skills, with minor notes because it runs a Python script, caches local skill inventory reports, and has a small dependency-declaration mismatch.
This skill is reasonable to use if you are comfortable with it running a local Python analyzer over your OpenClaw skill folders and saving diagnostic reports. Do not share the generated reports without reviewing them, and consider checking the full script yourself because the main source view in the provided artifact was truncated.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run a local Python script on your machine to inspect OpenClaw skill files.
The skill's normal workflow runs an included Python analyzer locally. This is expected for the diagnostic purpose, but users should know local code will execute.
python3 scripts/analyze_deps.py # default: ZH then EN
Run it from the intended skill directory, avoid elevated privileges, and review the script if you need high assurance.
Generated reports could expose local skill names, relationships, and metadata if shared, and cached data may become stale.
The skill creates persistent local summaries from installed skill files. Reports may reveal a user's installed skill inventory and can reflect whatever text exists in those local SKILL.md files.
walk `~/.openclaw/skills/` and `~/.openclaw/workspace/skills/`, read every SKILL.md ... save `data/ecosystem.json` + `data/report.md`
Review generated reports before sharing them and rerun a fresh scan when accuracy matters.
A user who manually installs requirements may fetch an additional package version not tightly pinned by the skill.
A requirements file declares a lower-bound dependency even though no install spec is present. There is no evidence it is installed automatically, but the dependency declaration is looser than ideal.
PyYAML>=6.0
Publisher should either remove the unused requirements file or pin/declare dependencies consistently; users should not install requirements unless needed.