Is erview/clawhub-skill-creator safe?

https://clawhub.ai/erview/clawhub-skill-creator

92
SAFE

This skill provides comprehensive documentation for creating and managing skills in the clawhub registry. The skill appears legitimate with no evidence of malicious intent, data exfiltration, or prompt injection attempts. The main security considerations are the presence of shell scripts and dependencies on external registry systems.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM Executable shell scripts present -15

The skill contains two shell scripts (init-skill.sh and package-skill.sh) that create directories, files, and packages. While they appear benign and serve legitimate purposes for skill creation workflow, executable scripts always present some risk.

LOW Large token footprint -5

The skill contains extensive documentation (300+ lines) that consumes significant context window space. While not malicious, this could impact agent performance in token-constrained scenarios.

LOW External system dependencies -10

The skill references and encourages interaction with external clawhub registry system for publishing skills. This creates dependency on external infrastructure that could potentially be compromised.