Clawhub Skill Scanner
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local security-scanner skill, but its mandatory/auto-approve wording and sparse provenance mean users should keep final installation decisions under their own control.
This skill appears purpose-aligned as a local scanner. Before installing, verify the full `scan_skill.py` source and remember that a 'SAFE' result is not a guarantee; keep manual approval for installing external or high-privilege skills.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Skill installations may be delayed or blocked based on the scanner's result.
The skill instructs the agent to interpose this scanner on future install requests. This is expected for a security gatekeeper, but it can redirect the normal install flow.
Security gatekeeper for skill installations. MANDATORY before installing any skill... Always run this BEFORE installation.
Use the scanner as a pre-install check, but keep explicit user approval for installing or blocking skills.
A false negative could lead a user or wrapper script to install a risky skill because the scan labeled it safe.
The documentation encourages auto-approval based on the scanner's heuristic score. The scanner's limits are partly disclosed, but 'safe' should not be treated as a guarantee.
| 0-20 | 🟢 SAFE | Auto-approve |
Treat a clean scan as one signal, not a guarantee; manually review unfamiliar or high-privilege skills before installation.
It is harder to independently verify or reproduce the scanner before trusting it as a security gate.
The registry metadata does not provide a source/homepage or declare Python as a runtime requirement, even though the docs instruct users to run a Python script.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Verify the complete package contents and source repository before relying on this scanner for automated install decisions.