ClawHub

isnad-scan

v1.0.0

Scan AI agent skills for security vulnerabilities — detects code injection, prompt injection, credential exfiltration, supply chain attacks, and 69+ threat p...

0· 429·2 current·2 all-time
byRapi@0xrapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (a scanner) matches the declared requirement: the isnad-scan binary. No unrelated env vars, config paths, or surprising binaries are requested.
Instruction Scope
SKILL.md only instructs running the scanner on a path and shows flags and a Python API. This stays within the stated purpose. Caveats: using --cve implies network queries to OSV.dev (expected for CVE checks) and the Python import example means the package code will be imported into the agent process — SKILL.md does not state whether the scanner performs any dynamic execution of scanned code or telemetry/remote submission of findings.
Install Mechanism
SKILL.md includes a pipx install entry for isnad-scan (PyPI), which is a standard mechanism. The registry metadata noted 'No install spec', creating a minor inconsistency between declared registry install specs and the SKILL.md. Installing from PyPI via pipx is moderate risk but expected for a Python tool; there are no ad-hoc downloads or unknown URLs.
Credentials
No environment variables or credentials are requested, which is proportionate to a scanner. The only external access implied is CVE lookups (public OSV.dev) and possibly GitHub/PyPI lookups referenced in the README links.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent elevated presence or attempt to modify other skills. Autonomous invocation is allowed (platform default) but not by itself a concern here.
Assessment
This skill appears to be a thin integration for the isnad-scan tool and is coherent with its description. Before installing: (1) verify the pip package and GitHub repo (pip install isnad-scan / https://github.com/counterspec/isnad) to ensure you trust the upstream maintainer; (2) if you care about privacy, run scans on copies of sensitive data and be aware that --cve will perform network queries to OSV.dev; (3) inspect the isnad-scan package source (or GitHub) before pipx installing, since the Python import example means code will run inside your agent process; (4) confirm whether the tool performs any dynamic execution of scanned code or telemetry/remote uploads (not documented in SKILL.md). These checks will reduce risk before you give the agent permission to run the scanner.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758h6xyseys2m1j30g6z269s81gwsy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsisnad-scan

Comments