ClawHub

wangkang-skill-c

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a coherent skill-creation guide with purpose-aligned local helper scripts, but users should verify its provenance and review paths and packaged files.

This skill looks safe for its stated purpose, but confirm the publisher/provenance mismatch is acceptable and review local paths and folder contents before running the helper scripts or sharing a packaged .skill file.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

It may be harder to confirm whether this is an original package or a republished/renamed copy.

Why it was flagged

The internal package metadata identifies a different slug and version than the registry listing for wangkang-skill-c version 1.3.3, which is a provenance/identity mismatch rather than evidence of malicious behavior.

Skill content
"slug": "skill-creator", "version": "0.1.0"
Recommendation

Verify that the publisher and package identity are expected before relying on it, especially in shared or enterprise environments.

Note
ASI02: Tool Misuse and Exploitation
What this means

Running the helper with the wrong path or name could create files in an unintended local location.

Why it was flagged

The initializer creates directories and writes files based on user-supplied path and skill name values. This is purpose-aligned for a skill-creation helper, but path selection matters.

Skill content
skill_dir = Path(path).resolve() / skill_name ... skill_dir.mkdir(parents=True, exist_ok=False) ... skill_md_path.write_text(skill_content)
Recommendation

Use normal hyphen-case skill names and an explicit intended output directory when running the initializer.

Note
ASI02: Tool Misuse and Exploitation
What this means

If a skill folder contains private notes, tokens, build artifacts, or other unintended files, they could be bundled into the archive.

Why it was flagged

The packager includes every file under the selected skill directory in the .skill archive. This is expected for packaging, but it has no shown exclusions for hidden files or accidental secrets.

Skill content
for file_path in skill_path.rglob('*'):
                if file_path.is_file():
                    zipf.write(file_path, arcname)
Recommendation

Inspect the skill directory before packaging and remove any secrets, hidden files, or unrelated local content.