SkillMarket
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s code only queries a remote skill marketplace, but its intended workflow can install third-party skills that persist in the agent, so users should approve and inspect each install.
This appears to be a straightforward marketplace helper. Before using it to install another skill, inspect the returned install instructions and only approve commands that are limited to the intended skill and destination.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A third-party skill installed from the marketplace could change how the agent behaves in future sessions.
The skill relies on remote marketplace-provided installation instructions, so the safety of an install depends on the provenance and contents of the selected third-party skill.
Fetch the specific installation tutorial for the chosen skill and framework. ... scripts/market.py install <skill-name> <framework>
Review the marketplace result, maintainer, commands, and any checksums or signatures before approving an install; prefer sandboxing or manual inspection for unfamiliar skills.
Approved install commands may add or change agent capabilities on the local system.
The workflow permits running installation instructions that can modify the local agent skill directory, but it clearly requires explicit user approval first.
Only after explicit user approval, execute the instructions to install the skill into the `.agent/skills/` directory.
Only approve specific commands you understand, and reject any install step that requests unnecessary privileges, broad filesystem access, or unrelated network actions.