Scan Report
5 /100
lua-scripter (declared in SKILL.md) / self-improving-agent (in _meta.json)
Lua development assistant with self-improvement hooks for learning capture
Legitimate Lua development assistant skill with self-improvement hooks. All scripts are readable, no malicious patterns detected, no network/credential access.
Safe to install
This skill is safe to use. The minor documentation mismatch (SKILL.md name vs _meta.json name) is non-security-relevant.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | WRITE | ✓ Aligned | extract-skill.sh creates ./skills/<name>/SKILL.md with path validation |
| Shell | NONE | READ | ✓ Aligned | Scripts use CLAUDE_TOOL_OUTPUT env var for error detection |
| Environment | READ | READ | ✓ Aligned | error-detector.sh reads CLAUDE_TOOL_OUTPUT (documented hook behavior) |
| Network | NONE | NONE | — | No network calls in any script |
File Tree
16 files · 36.8 KB · 1616 lines Markdown 10f · 1197L
Shell 3f · 296L
TypeScript 1f · 62L
JavaScript 1f · 56L
JSON 1f · 5L
├─
▾
.learnings
│ ├─
ERRORS.md
Markdown
│ ├─
FEATURE_REQUESTS.md
Markdown
│ └─
LEARNINGS.md
Markdown
├─
▾
assets
│ ├─
LEARNINGS.md
Markdown
│ └─
SKILL-TEMPLATE.md
Markdown
├─
▾
hooks
│ └─
▾
openclaw
│ ├─
handler.js
JavaScript
│ ├─
handler.ts
TypeScript
│ └─
HOOK.md
Markdown
├─
▾
references
│ ├─
examples.md
Markdown
│ ├─
hooks-setup.md
Markdown
│ └─
openclaw-integration.md
Markdown
├─
▾
scripts
│ ├─
activator.sh
Shell
│ ├─
error-detector.sh
Shell
│ └─
extract-skill.sh
Shell
├─
_meta.json
JSON
└─
SKILL.md
Markdown
Security Positives
✓ No network calls or data exfiltration detected
✓ No credential harvesting or sensitive path access
✓ No base64 encoding or obfuscation
✓ Path validation in extract-skill.sh prevents directory traversal
✓ Shell scripts are simple and readable with clear purpose
✓ No remote script execution (curl|bash, wget|sh)
✓ No supply chain risks - no external dependencies