Evaluate skill quality, find the weakest dimension, and apply directed improvements. Also tracks usage to spot idle or risky skills. Use when: first session...
Security Analysis
medium confidenceThe skill generally matches its stated purpose (scanning/evaluating/editing local skills) but includes several behaviors and instruction inconsistencies — automatic post-install actions, programmatic plugin installation paths, and broad filesystem/command execution — that merit careful review before installing.
Name/description (skill quality, usage tracking, improvements) align with the included code and commands: local validators, scanners, snapshots, and edit/merge/improve flows. Minor inconsistency: registry said 'No install spec — instruction-only', yet the package includes many JavaScript libs, hooks, and scripts and SKILL.md lists those files and marks type: executable. Requiring node is expected.
Runtime instructions deliberately read and write many user files and directories (e.g., other skills' SKILL.md, ~/.claude/settings.json, .skill-compass snapshots, manifests). The Post-Install Onboarding explicitly runs automatically on first session and performs silent discovery/scans and may write a statusLine to the user's settings file. Several commands instruct running Node/Bash tools and invoking other plugins; eval-security will run local shell checks and may invoke detected tools. These are within the broad purpose but are intrusive and should be consented to.
There is no external download/install URL (no install spec). Code is included in the bundle (many libs and scripts) and the skill requires only the node binary. No high-risk remote installs detected in the provided files.
The skill requests no environment credentials (no API keys), which is appropriate. However it accesses many local config paths and skill directories (e.g., ~/.claude, .openclaw, project skill roots). This file-system access is consistent with a skill-management tool but is broad; users should expect the skill to read many local files and to write snapshots and configuration.
always:false, and autonomous invocation is allowed (platform default). Concerns: (1) Post-Install Onboarding runs automatically without an explicit command and writes to user settings and state files; (2) some flows (e.g., eval-evolve) will offer to install the ralph-wiggum plugin and explicitly say they will run the plugin install command directly when --internal is set (meaning programmatic callers could trigger installs without an interactive confirmation). Combined with the skill's ability to run shell commands and write files, this increases the blast radius if invoked autonomously.
Guidance
This skill appears to do what it says (evaluating and improving local skills) but is intrusive: it scans other installed skills, reads/writes ~/.claude/settings.json and a .skill-compass directory, executes local Node/Bash scripts, and can trigger plugin installs when called programmatically. Before installing: 1) Backup ~/.claude/settings.json and any important skill files. 2) Review the bundled JS files (lib/*, hooks/scripts/*) locally to satisfy yourself—they will run on your machine. 3) Decide whether you want automatic Post-Install Onboarding that runs silently on first session; if not, avoid installing or run in a restricted/sandboxed environment. 4) Be cautious about giving other automation permission to call this skill with --internal (that flag can bypass interactive prompts and auto-install plugins). 5) If you proceed, monitor what files it writes (.skill-compass, snapshots, locks) and review any plugin installs it performs.
Latest Release
v1.1.0
SkillCompass 1.1 release
Popular Skills
Published by @krishna-505 on ClawHub
