isnad-scan
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent, user-directed security scanner, but users should verify the external PyPI CLI it installs and be aware that optional CVE checks contact OSV.dev.
This appears safe to consider as a user-invoked security scanner. Before installing, confirm that the external 'isnad-scan' package is the one you intend to trust, and use optional CVE checking only when it is acceptable to send dependency information to OSV.dev.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require trusting the external 'isnad-scan' package to run locally.
The skill depends on installing and running an external PyPI-distributed CLI that is not included in the submitted file manifest.
requires:\n bins: ["isnad-scan"]\ninstall:\n - id: isnad-scan-pip\n kind: pipx\n package: isnad-scan
Verify the PyPI/GitHub source and package version before installing, preferably using an isolated tool such as pipx as documented.
Running the scanner executes a local command against the path you provide.
The skill documents local CLI execution. This is expected for a scanner and is shown as a user-invoked command.
isnad-scan <path>
Run it only on intended directories and avoid giving it broader filesystem scope than needed.
If you enable CVE checking, project dependency metadata may be sent to an external vulnerability service.
The optional CVE check uses an external provider, which may involve sharing dependency information with OSV.dev.
isnad-scan <path> --cve # Also check dependencies for known CVEs (via OSV.dev)
Use the --cve option only for projects where sharing dependency names and versions with OSV.dev is acceptable.