wangkang-skill-c
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may be harder to confirm whether this is an original package or a republished/renamed copy.
The internal package metadata identifies a different slug and version than the registry listing for wangkang-skill-c version 1.3.3, which is a provenance/identity mismatch rather than evidence of malicious behavior.
"slug": "skill-creator", "version": "0.1.0"
Verify that the publisher and package identity are expected before relying on it, especially in shared or enterprise environments.
Running the helper with the wrong path or name could create files in an unintended local location.
The initializer creates directories and writes files based on user-supplied path and skill name values. This is purpose-aligned for a skill-creation helper, but path selection matters.
skill_dir = Path(path).resolve() / skill_name ... skill_dir.mkdir(parents=True, exist_ok=False) ... skill_md_path.write_text(skill_content)
Use normal hyphen-case skill names and an explicit intended output directory when running the initializer.
If a skill folder contains private notes, tokens, build artifacts, or other unintended files, they could be bundled into the archive.
The packager includes every file under the selected skill directory in the .skill archive. This is expected for packaging, but it has no shown exclusions for hidden files or accidental secrets.
for file_path in skill_path.rglob('*'):
if file_path.is_file():
zipf.write(file_path, arcname)Inspect the skill directory before packaging and remove any secrets, hidden files, or unrelated local content.