Senior Secops
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate local security-auditing skill, but it can read project files and create reports that may contain secrets, so handle its output carefully.
Before installing or running this skill, confirm you trust the included Python scripts, run them only on intended projects, keep generated reports private, and pin any copied CI/CD third-party actions rather than using moving branches like @master.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on the wrong directory, the scanner may inspect more local source/configuration files than intended.
The skill directs use of local Python scanners over project paths, including the current directory. This is coherent with the security-audit purpose, but it gives the tool broad read access to the selected project.
python scripts/security_scanner.py /path/to/project ... python scripts/compliance_checker.py . --framework all
Run the scripts only against intended repositories or CI workspaces, and avoid pointing them at a home directory or unrelated sensitive folders.
A changed or compromised third-party CI action could run in your pipeline and access the Snyk token used for scanning.
A reference CI template uses a moving third-party GitHub Action branch and passes a service token to it. This is an example, not automatic skill behavior, but copying it as-is would create supply-chain exposure.
uses: snyk/actions/node@master ... SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}If adopting the CI example, pin GitHub Actions to immutable versions or commit SHAs and scope any tokens narrowly.
Security reports may reveal real API keys, passwords, or proprietary source snippets if shared broadly.
The scanner intentionally detects secrets and stores a code snippet with each finding, so generated reports or console output may contain sensitive material from the scanned codebase.
SECRET_PATTERNS = [ ... 'Hardcoded API key detected' ... 'AWS Secret Key' ... ] ... code_snippet: str
Treat generated reports as confidential, redact secrets before sharing, and rotate any real credentials the scanner discovers.