Skillv1.0.0

ClawScan security

Magic Quill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 22, 2026, 4:17 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated goal (generate themed YAML spell mappings) matches most of its instructions and code, but there are several concerning elements — dynamic fetching of arbitrary URLs, a pre-scan prompt-injection signal in SKILL.md, and inclusion of many powerful/dangerous fallback skill IDs — that warrant caution before installing or running it.
Guidance: What to consider before installing/running Magic Quill: - Inspect the generator script (scripts/generate-spell-mapping.mjs) fully before running. The script will fetch web pages, parse JSON/HTML, follow links, and write YAML files; ensure there are no hidden outbound endpoints or obfuscated behavior. - The SKILL.md triggered a unicode-control-chars heuristic. That can hide text or behavior from casual reviewers — open the raw SKILL.md and the script in a plain text editor, search for control characters, and remove or understand them. - Network behavior: the tool performs dynamic web searches and will fetch arbitrary discovered URLs and any --url you provide. If you run it, consider doing so in an environment with controlled network access (or offline) until you trust it. - Review generated YAML before using it with the openclaw-spellbook hook. The fallback/popular-skills list includes powerful/destructive skill IDs (delete-file, kill-process, kubectl-apply, terraform-apply, etc.). If the generator maps those to easy-to-invoke spell names, an agent using that spellbook could execute destructive actions. Manually vet or sanitize the mapping (remove or rename high-risk mappings) before enabling them in an agent environment. - Validate locally: run the generation with --out pointing to a safe directory (not your live project), review the output, and run the npm validation step in a sandbox. Do not auto-install or auto-enable the spellbook hook until you have reviewed artifact contents. - If you need stronger assurance, request the full source of the external endpoints the script calls (skills.sh, ClawHub) or run the script with network monitoring to see what hosts are contacted. Given the prompt-injection signal and the potentially wide-reaching consequences of the generated mappings, proceed only after manual review and with network/file safeguards in place.
Findings: [unicode-control-chars] unexpected: SKILL.md contained unicode control characters pattern. This is not expected for a generator README and can be used to obfuscate content or try to manipulate prompts/parsers. It should be inspected and removed or explained before trusting the skill.

Review Dimensions

Purpose & Capability: noteThe name/description (generate themed OpenClaw Spellbook YAML mappings) matches the included SKILL.md and the script file: the skill discovers spell lists, fetches pages, synthesizes names, and writes YAML. Including a built-in list of popular skills (used as fallbacks) is consistent with its goal to provide broad coverage. That fallback list however includes high-privilege/dangerous skill IDs (e.g., delete-file, kill-process, kubectl-apply, terraform-apply), which is coherent for a 'popular-skills' fallback but may be surprising to non-technical users and expands the potential impact of generated mappings.
Instruction Scope: concernRuntime instructions ask the agent to perform web searches (parse DuckDuckGo HTML), fetch arbitrary discovered URLs and a user-supplied --url, follow links up to depth, extract JSON/HTML content, merge names, and then write YAML under spells/. This gives the skill broad discretion to contact many external hosts (including ones discovered dynamically) and to read/parse arbitrary pages. The SKILL.md also triggered a pre-scan 'unicode-control-chars' prompt-injection pattern — that could be used to hide content or manipulate parsers. Additionally, because the fallback skill list contains destructive operations, the generated YAML may map benign-sounding spell names to actions that can perform destructive changes if later used by an agent.
Install Mechanism: noteThere is no install spec (instruction-only), which is lower-risk in that nothing is automatically downloaded at install time. However, the repo includes an executable Node script (scripts/generate-spell-mapping.mjs) which will be executed by the agent when invoked; that script does filesystem writes and network fetches. Because execution is manual/agent-driven rather than an automatic remote download, the install risk is moderate but requires reviewing the script before running.
Credentials: noteThe skill asks for no environment variables or credentials, which is proportionate. That said, it references external resources (skills.sh trending installs, ClawHub downloads API, DuckDuckGo, Wikipedia) without declaring required credentials — likely they are public endpoints, but the SKILL.md doesn't document expected endpoints or failure modes. The script will read/write files (spells/), and may fetch arbitrary hosts, so network access is the main capability requested; no hidden credential requests were declared, which is appropriate but leaves some uncertainty about how external APIs are used.
Persistence & Privilege: notealways is false and the skill is user-invocable — no elevated persistence requested. The script writes files to the project's spells/ directory (expected behavior). Be aware: writing new spell mapping YAML that maps to powerful skill IDs can effectively enable those operations when the openclaw-spellbook hook is installed, so the write operation has security implications even though the skill itself doesn't request persistent platform privileges.