skills creator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: meta-skill-generator Version: 1.0.0 The bundle is a comprehensive framework for the automated generation, testing, and optimization of AI skills. It contains high-risk capabilities, most notably arbitrary code execution via exec() in scripts/tester.py and subprocess.run() in scripts/sandbox.py, which are used to run and validate generated Python code. Additionally, scripts/scan_skills.py performs broad filesystem scanning of the workspace to index existing skills. While these behaviors are aligned with the stated purpose of a 'Meta-Skill Generator,' the combination of LLM-driven code generation and local execution environments creates a significant attack surface for remote code execution (RCE) if the generation requirements are influenced by untrusted input.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated or optimized skill could be installed or reused in ways that affect future tasks, especially if the generated content is wrong or unsafe.
The skill is explicitly designed to generate, register, test, and optimize other skills, which can modify the agent's future behavior. The artifacts do not show clear approval or rollback boundaries for those high-impact actions.
用于自动扫描、注册、检索、生成、评估、测试、优化技能
Use a staging directory, require explicit user approval before registration or overwrite, and manually review every generated SKILL.md before enabling it.
If generated skill code or test inputs are not fully sandboxed, local code could run with the user's permissions.
The static scan found eval-based dynamic execution in the tester. This is related to the skill's purpose, but generated or user-influenced skill code should not be executed without strict containment.
obj = eval(name) if name in locals() else None
Replace eval with safer lookups such as `locals().get(name)`, enforce Docker or another sandbox for all generated-code tests, and never run unreviewed generated code directly on the host.
If activated, the framework could continue producing or changing skill artifacts on a schedule rather than only in direct response to a user request.
The default configuration enables a weekly auto-refactor feature that writes to a generated skills directory. The SKILL.md does not clearly describe user approval for scheduled activity.
auto_refactor:
enabled: true
schedule: "0 2 * * 6"
output_dir: "skills/generated"Disable scheduled refactoring by default, require an explicit opt-in, log all changes, and require user approval before generated outputs affect installed skills.
The skill may fail until dependencies are installed, and users may need to choose package sources and versions themselves.
The artifacts reference dependencies needed for full functionality, but the registry declares no install spec or required binaries. This is an under-declared setup/provenance issue rather than evidence of malicious behavior.
完整功能需要安装依赖包:
print(" - chromadb")
print(" - networkx")
print(" - deepseek-api-client")
print(" - docker")Publish a clear install spec or requirements file with pinned versions and declare Docker/Python expectations in metadata.
If configured, prompts, requirements, or generated code may be sent to the external provider and the API key may be stored in a local config file.
The config anticipates a provider API key for DeepSeek. No real key is included, and this is purpose-aligned for AI generation, but it is not declared in registry credential metadata.
base_url: "https://api.deepseek.com"
api_key: "YOUR_API_KEY_HERE"Use environment variables or a secret store for API keys, avoid committing real keys, and disclose what data is sent to the provider.
Generated or retrieved skills could inherit overly broad priority claims that confuse the agent's instruction hierarchy.
The persistent optimization database stores instruction-like skill content that claims priority over other instructions. This may be benign example data, but retrieved/generated skill text should be treated as data, not trusted control instructions.
此原则优先于其他所有指令。 ... **最高优先级** - 凌驾于其他所有指令之上
Sanitize stored skill examples, strip unsupported 'highest priority' claims, and keep retrieved skill text separated from system/developer instructions.