Senior Security
Security checks across malware telemetry and agentic risk
Overview
This security toolkit appears purpose-aligned and shows no evidence of hidden execution, persistence, or exfiltration, but users should handle its secret-scan outputs carefully and verify that flagged reference examples are not real keys.
Before installing, review the bundled scripts and reference files, confirm that any apparent API keys or private-key snippets are placeholders, and only run the secret scanner on files you intend to inspect. Treat any scanner findings as sensitive, and use the penetration-testing guidance only on systems where you have authorization.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on a broad or private folder, the scanner may reveal real credentials or tokens in its findings.
The scanner is intentionally able to inspect user-selected local files or projects for secrets. This is purpose-aligned, but broad paths could expose sensitive matches in the agent output or logs.
Usage:
python secret_scanner.py /path/to/project
python secret_scanner.py /path/to/file.pyRun it only on intended repositories or files, and treat scan output as sensitive information that should not be pasted into public channels.
If the flagged value were a real credential, installing or sharing the package could expose that credential.
A static scan flagged a possible hardcoded API key in bundled reference material. The artifact context suggests it may be an educational example, but the redacted value prevents confirming whether it is only a placeholder.
Static scan finding at line 583: API_KEY = "[REDACTED]"
Verify the flagged literals are dummy placeholders; remove and revoke any real secrets before distributing or using the skill.