Skill Security Auditor
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a disclosed, user-run security scanning tool, but users should treat its shell commands and “safe to install” recommendations as advisory rather than definitive.
This skill is generally consistent with its stated purpose as a manual security-auditing CLI. Install it from the registry when possible, be cautious with optional curl-based manual installation or update commands, and treat its scan result as advisory rather than a complete guarantee that another skill is safe.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The analyzer can inspect files the user points it at and can contact ClawHub when given a slug.
The tool reads local files and can fetch skill content over the network, which is expected for its stated auditing purpose but still means the user is running a shell-based analyzer with file and network access.
OPTIONS:
-f, --file FILE Analyze local SKILL.md file
-s, --slug SLUG Fetch and analyze skill from ClawHub by slugRun it only on intended SKILL.md files or trusted slugs, and review its output as one input to your installation decision.
Following manual download instructions from an unverified or substituted source could install different code than the reviewed artifact.
The optional manual installation examples download files with curl and do not show checksums, signatures, or pinned release artifacts. This is user-directed and not the default install path, but it is a provenance point users should notice.
curl -o ~/.openclaw/skills/skill-security-auditor/analyze-skill.sh \ https://raw.githubusercontent.com/YOUR-USERNAME/skill-security-auditor/main/analyze-skill.sh
Prefer the registry install path, or verify the source repository and file integrity before using manual curl-based installation or updates.
A clean result could create more confidence than a pattern-based scanner can fully justify.
The script can produce a strong 'Safe to install' recommendation based on pattern matching. The README and SKILL.md disclose limitations, so this is not deceptive, but users should not treat the result as a guarantee.
recommendation="Safe to install. No significant security concerns detected."
Use the report as a first-pass signal and combine it with manual review, source verification, and other scanning where appropriate.