Skulk Skill Scanner
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a disclosed local static scanner that reads the skill folder you choose, with only low-severity cautions about local code execution, file excerpts, and limited provenance.
This looks safe to use as a local advisory scanner, but run it only on specific skill folders, avoid publishing verbose/JSON output that may contain excerpts, and manually review sensitive skills rather than relying only on a PASS result.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes local JavaScript on your machine.
The documented workflow executes the bundled Node.js scanner. This is disclosed and central to the skill's purpose, not hidden or automatic.
node scripts/scanner.js <path-to-skill> [--verbose] [--json] [--summary] [--ignore <path>] [--include-self]
Run it only from a package you trust and preferably on a specific skill folder rather than a broad filesystem path.
If you scan folders containing private material or real secrets, snippets may be printed in scan output.
The scanner reads files under the selected skill path and stores matching line excerpts in findings. This is expected for static scanning, but those excerpts could appear in terminal or CI logs.
const content = fs.readFileSync(file, 'utf-8'); ... lineContent: lineContent.slice(0, 120)
Scan only intended skill folders and be careful where JSON or verbose scan output is logged or shared.
A skill with important code at scripts/scanner.js could be missed unless --include-self is used.
By default the scanner skips any file with this relative path, not only its own copy. The SKILL.md describes --include-self for scanner internals, but users should understand this can affect scan coverage.
if (!options.includeSelf && normalized === 'scripts/scanner.js') return true;
Treat results as a first-line advisory scan, use --include-self when reviewing scanner-like skills, and manually inspect important files.
It is harder to verify that the packaged scanner matches an upstream project.
The package does not provide an upstream source or homepage for independent comparison. No remote installer or dependency download is shown, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: none
Install only if you trust the publisher or can inspect the full packaged files yourself.