← Back to Skills Marketplace
yangran

full scale openclaw skill auditor

by Dr. Ren · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
293
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install fenz-skill-auditor
Description
Audits Claude skills from GitHub repositories for effectiveness, token usage, safety, and best-practice compliance, then automatically generates bilingual so...
README (SKILL.md)

Skill Audit Workflow

Audit a Claude skill from a GitHub repository. Evaluate effectiveness, token usage, time complexity, permissions, safety, and best-practice compliance. Produce a structured audit report.

Step 1: Clone & Extract

Run the clone script with the user-provided GitHub URL:

bash scripts/clone_and_extract.sh \x3Crepo-url>

The script outputs JSON listing all SKILL.md files found. If multiple skills exist in the repo, present the list to the user and ask which one(s) to audit.

If the script exits with a non-zero code:

  • Exit 1: Ask the user to provide a valid GitHub URL
  • Exit 2: Check if the repo exists and is public
  • Exit 3: The repo has no SKILL.md files — inform the user

Step 2: Create Output Directory

Create the audit output directory:

audits/\x3Cskill-name>-\x3CYYYYMMDD-HHMMSS>/

Write metadata.json with:

{
  "repo_url": "\x3Curl>",
  "timestamp": "\x3CISO 8601>",
  "auditor": "Fenz.AI",
  "skill_name": "\x3Cname>",
  "skill_path": "\x3Cpath within repo>"
}

Step 3: Save Source Files

Copy all files from the skill directory (the directory containing SKILL.md and its subdirectories) into source/ within the output directory. Then clean up the temp clone directory.

Step 4: Analyze

Read references/audit-criteria.md for detailed rubrics. Evaluate each category:

4a. Effectiveness

Read the skill's SKILL.md and evaluate:

  • Description quality (WHAT + WHEN)
  • Trigger clarity and coverage
  • Workflow definition clarity
  • Examples for complex steps
  • Error handling guidance

Rate: Strong / Adequate / Weak

4b. Token Usage

Run the analysis script:

python3 scripts/analyze_tokens.py \x3Csource-dir>

Use the JSON output to assess:

  • SKILL.md line count
  • Progressive disclosure usage
  • Total token footprint
  • Category breakdown

Rate: Low / Medium / High

4c. Time Spending

Evaluate the workflow for:

  • Complexity and branching
  • Number of external tool calls
  • User interaction requirements
  • Scope clarity

Rate: Quick / Moderate / Extended

4d. Permissions

Check the skill for:

  • allowed-tools in frontmatter — what tools are requested?
  • Whether each tool is justified by the workflow
  • Destructive tool usage (Bash without restrictions, Write to system paths)
  • Network access scope
  • File system access scope

Flag any red flags. Rate: Minimal / Moderate / Broad

4e. Safety

Evaluate:

  • Does behavior match the description?
  • Network access patterns
  • File scope boundaries
  • Sensitive data handling
  • Input validation (especially for shell commands)

Rate: Low Risk / Medium Risk / High Risk

4f. Recommendations

Read references/skill-best-practices.md and check the skill against each item. Group findings by priority:

  • High: Safety, correctness, major effectiveness issues
  • Medium: Efficiency, maintainability issues
  • Low: Style and convention suggestions

Step 5: Generate Report

Read assets/audit-report-template.md and fill in all template fields with the analysis results. Save as audit-report.md in the output directory.

Include:

  • All six category ratings with detailed explanations
  • Specific evidence from the skill files for each finding
  • Concrete, actionable recommendations
  • Positive observations (what the skill does well)
  • File appendix with token estimates

Step 6: Log Everything

Maintain process-log.md in the output directory. Append each step as it completes:

## [YYYY-MM-DD HH:MM:SS] Step N: \x3Cstep name>
- Status: success/failed/skipped
- Details: \x3Cwhat happened>
- Errors: \x3Cif any>

Step 7: Generate Social Media Posts

Automatically generate posts from the audit report.

  1. Run: python3 ../post-generator/scripts/extract_findings.py \x3Caudit-dir>/audit-report.md
  2. Read ../post-generator/references/writing-guide-en.md and ../post-generator/assets/post-template-twitter-en.md
  3. Generate 2-3 English post variations following the guide
  4. Read ../post-generator/references/writing-guide-zh.md and ../post-generator/assets/post-template-twitter-zh.md
  5. Generate 2-3 Chinese post variations (NOT translations — independently crafted)
  6. Save posts-en.md and posts-zh.md in the audit output directory
  7. Log post generation step to process-log.md

Quality rules:

  • Posts must sound human-written, not AI-generated
  • No banned phrases (see writing guides for anti-pattern lists)
  • Fenz.AI mentioned once, naturally, first post only
  • Max 2 hashtags, no emoji spam
  • English: professional/conversational; Chinese: direct/opinionated with full-width punctuation
Usage Guidance
This skill mostly does what it says (clone a GitHub repo, inspect SKILL.md, estimate tokens, and produce a report), but there are a few actionable concerns to weigh before running it: - Runtime dependencies: The scripts assume git, bash, and python3 are available even though the skill metadata lists no required binaries. Run it in an environment where those tools are present and isolated. - Cloning arbitrary repos: The workflow clones whatever GitHub URL you provide and then reads/copies all files in the skill directory. That is expected for an auditor but means the process will see any secrets or large files in the repo. Only use with repos you trust, or run inside a restricted sandbox/container. - Cleanup: clone_and_extract.sh intentionally leaves the temp clone directory and prints its path; SKILL.md expects the agent to clean it up. Ensure the agent or you remove temporary clones to avoid leaving sensitive data on disk. - External paths: SKILL.md Step 7 references ../post-generator/* (scripts and reference files outside the skill). Confirm those sibling directories exist and are trustworthy before the agent opens or executes them; otherwise the agent may attempt to read or run files outside the skill and your intended workspace. - Shell handling: The clone script extracts the SKILL.md frontmatter name using grep/sed and inserts it directly into JSON output. Malformed or adversarial SKILL.md frontmatter could produce malformed output or confuse downstream parsers. Treat untrusted repos cautiously. Practical suggestions: - Run the auditor in an isolated container/VM and inspect the cloned repo before letting any automation parse or publish findings. - Manually verify the presence and contents of ../post-generator if you need social-post generation, or adapt the workflow to use an included post-generator implementation. - If you plan to allow the agent to run this autonomously, restrict the input set of repos (whitelist) or add explicit confirmation steps and explicit temp-dir cleanup commands. Given these mismatches and operational risks (but no evidence of deliberate misdirection or malicious code), the skill is classified as suspicious — review and harden the workflow before using it on untrusted repositories.
Capability Analysis
Type: OpenClaw Skill Name: fenz-skill-auditor Version: 1.0.0 The skill bundle is a legitimate tool designed to audit other AI skills for safety, efficiency, and best practices. It uses a bash script (scripts/clone_and_extract.sh) to safely clone GitHub repositories and a Python script (scripts/analyze_tokens.py) to estimate token usage without executing untrusted code from the target repositories. While it references an external directory (../post-generator/) for social media post generation, its operations are transparent, well-documented, and lack any indicators of malicious intent or data exfiltration.
Capability Assessment
Purpose & Capability
The skill claims to audit Claude skills from GitHub and generate bilingual social posts; the included scripts (clone_and_extract.sh and analyze_tokens.py) implement cloning and token analysis which is coherent with that purpose. However, the SKILL.md and scripts assume availability of git, bash, and python3 even though the skill declares no required binaries. Expectation mismatch: the skill should declare those runtime deps.
Instruction Scope
Instructions direct the agent to clone arbitrary GitHub repos and copy the entire skill directory into an audit output dir — reading all files in the repo (which is expected for an auditor but can include secrets). Step 7 references ../post-generator/* files and scripts outside the skill's directory (parent-sibling paths), which may not exist and would cause the agent to read or execute files outside the skill boundary. The clone script prints the temp repo path and leaves cleanup to the caller (trap message says cleanup is caller responsibility), so cloned repositories may remain on disk if the agent doesn't explicitly remove them.
Install Mechanism
No external downloads or installs are used; this is instruction+script-only. The scripts are local and readable; no remote code fetches beyond git clone of user-specified repositories. This is lower-risk than arbitrary download/extract installers, but cloning arbitrary repos is an operation with expected but non-trivial risk.
Credentials
The skill requests no environment variables or credentials — appropriate for its stated purpose. Minor concern: scripts assume tools (git, python3) exist but those binaries are not declared as required; also the auditor will read every file in the cloned repo (which is consistent with auditing but increases chance of encountering secrets or large files).
Persistence & Privilege
always is false (no forced inclusion). The skill's scripts create a temp clone directory and the clone script explicitly leaves cleanup to the caller; if the agent doesn't remove it the repo contents may persist on disk. The skill does not request to modify other skills or system-wide configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install fenz-skill-auditor
  3. After installation, invoke the skill by name or use /fenz-skill-auditor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skill-audit — an automated Claude skill audit tool for GitHub repositories. - Audits Claude skills for effectiveness, token usage, safety, permissions, and best-practice compliance. - Generates structured reports with category ratings, evidence, recommendations, and positive findings. - Automatically creates bilingual (English & Chinese) social media posts summarizing audit results. - Logs all audit steps and status for traceability. - Designed for easy integration into skill development workflows.
Metadata
Slug fenz-skill-auditor
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is full scale openclaw skill auditor?

Audits Claude skills from GitHub repositories for effectiveness, token usage, safety, and best-practice compliance, then automatically generates bilingual so... It is an AI Agent Skill for Claude Code / OpenClaw, with 293 downloads so far.

How do I install full scale openclaw skill auditor?

Run "/install fenz-skill-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is full scale openclaw skill auditor free?

Yes, full scale openclaw skill auditor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does full scale openclaw skill auditor support?

full scale openclaw skill auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created full scale openclaw skill auditor?

It is built and maintained by Dr. Ren (@yangran); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments