← Back to Skills Marketplace
114
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-forge-va
Description
A comprehensive tool for creating, documenting, wrapping, and quality-checking professional-grade skills with standardized templates and best practices.
Usage Guidance
This skill appears to do what it says (create, document, and package skills), but exercise caution before running it on a machine you care about.
Key things to consider:
- Review the scripts before running. The CLI uses execSync to run shell commands and package managers. If you plan to run 'install-deps' or similar commands, inspect _meta.json for any untrusted skill directories first.
- Command-injection risk: dependency names from metadata are interpolated into shell commands without sanitization. Do not run this tool on data from untrusted sources or unreviewed _meta.json files.
- Privilege escalation: installDependency invokes apt/winget/brew and may use sudo. Run in a sandbox or container (or without install commands) if you want to evaluate it safely.
- OpenClaw hook is benign (console reminders) but only enable it if you trust the code; it will run periodically in sessions where hooks are enabled.
If you want higher confidence: ask the author for an explicit review/fix that escapes/sanitizes dependency names and avoids shell command concatenation (use execFile/spawn with argument arrays and no shell), or run the tool in an isolated VM/container and avoid running the automatic install features.
Capability Analysis
Type: OpenClaw Skill
Name: skill-forge-va
Version: 1.3.0
The skill bundle provides a CLI tool ('skill-creator.js') for scaffolding, packaging, and managing OpenClaw skills, including features for wrapping existing binaries and installing system dependencies. It is classified as suspicious because it makes extensive use of 'child_process.execSync' to execute system commands (e.g., 'apt-get', 'brew', 'winget', 'xcopy', and PowerShell's 'Compress-Archive') using unsanitized string interpolation of user-provided arguments like 'skillName' and 'dependency'. This creates a high risk of shell injection and Remote Code Execution (RCE) if the AI agent is prompted to use malicious inputs. While the tool includes a 'detect-malware' command and its functionality aligns with its stated purpose, the lack of input validation for powerful system operations is a significant security flaw.
Capability Assessment
Purpose & Capability
The name/description (skill creation, templates, docs, QA) aligns with the included files: a CLI script to init/check/package skills, templates, docs, and an OpenClaw hook. Requests and metadata don't ask for unrelated credentials or resources.
Instruction Scope
SKILL.md instructs running the CLI (init/check/wrap/install-deps etc.) and wrapping GitHub repos — expected for this tool. The instructions do not ask the agent to read unrelated secrets or system-wide configs. However, the included CLI implementation executes system commands (checks, installs) and would run package-manager commands and arbitrary shell commands derived from skill metadata, which extends its runtime scope to system package management and shell execution.
Install Mechanism
There is no registry install spec (instruction-only at registry level). The package contains code files but does not automatically download remote executables at install time. This is lower risk than an install that pulls a binary from an arbitrary URL.
Credentials
The skill declares no required environment variables, credentials, or config paths. Nothing in the code requires unrelated cloud credentials. That matches the stated purpose.
Persistence & Privilege
always is false and the OpenClaw hook is optional; the hook contains only periodic console reminders and simple handlers. The skill does not request forced persistent inclusion or modify other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-forge-va - After installation, invoke the skill by name or use
/skill-forge-va - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
## \[1.3.0]
### Added
- **Intelligent Skill Creation**: Automatically searches for existing projects and provides recommendations
- **Dependency Management**: Helps resolve missing dependencies for new devices
- **Security Scanning**: Detects malicious code during the skill creation process
- **Multi-search Engine Integration**: Leverages multiple search engines for comprehensive project research
- **Self-improving Agent Architecture**: Continuously learns and improves from usage
- **Proactive Agent Patterns**: Anticipates user needs and provides intelligent suggestions
- **Browser Automation**: Integrates with OpenClaw for enhanced capabilities
### Changed
- Simplified command interface to focus on core skill creation functionality
- Integrated search, analyze, and detect-malware features into internal workflow
Metadata
Frequently Asked Questions
What is skill-forge?
A comprehensive tool for creating, documenting, wrapping, and quality-checking professional-grade skills with standardized templates and best practices. It is an AI Agent Skill for Claude Code / OpenClaw, with 114 downloads so far.
How do I install skill-forge?
Run "/install skill-forge-va" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is skill-forge free?
Yes, skill-forge is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does skill-forge support?
skill-forge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created skill-forge?
It is built and maintained by Variyaone (@variyaone); the current version is v1.3.0.
More Skills