SecureVibes Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned security scanning skill, but it needs deliberate setup because it uses an external scanner, Anthropic authentication, and optional recurring background scans.
Before installing or using this skill, verify the securevibes CLI package, confirm which Anthropic account or API key will be used, and only scan repositories and web targets you are authorized to test. Enable the cron-based incremental scanner only if you intentionally want ongoing background monitoring.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scanner that reads the target codebase comes from an external package installation.
The core scanner is an external CLI installed outside the provided skill artifacts and is not pinned in an install spec, so the user must trust the package source and installed version.
Install the CLI: `pipx install securevibes` (preferred) or `uv tool install securevibes`.
Install the CLI from a trusted environment, verify the package/version, and avoid running it on sensitive repositories until you are comfortable with the tool.
Scans may run using the user's Anthropic account or API credits.
The skill may use the user's Anthropic OAuth session or API key to run AI-powered scans. This is expected for the stated purpose, but it is still account-level authentication.
Authenticate with Anthropic ... The Claude Agent SDK picks up your OAuth session automatically ... or `export ANTHROPIC_API_KEY=your-key-here`.
Use the least-privileged authentication method available, keep API keys private, and confirm the intended Anthropic account is active before running scans.
Repository contents or security findings may be sent to the AI service used by the scanner.
The skill is designed to analyze local code using an external AI provider. That is purpose-aligned, but private source code may be processed outside the local machine.
AI-native security platform that detects vulnerabilities using Claude AI.
Check your organization's policy for sending code to external AI services before scanning private or regulated repositories.
If pointed at the wrong target, scans could generate unwanted traffic to systems the user does not control.
The skill can perform dynamic application security testing against a network target. The artifact clearly warns users to limit this to authorized targets.
DAST scans make network requests to the `--target-url` you provide. Only use against apps you own or have permission to test.
Run DAST only against applications you own or have explicit permission to test.
The skill can keep scanning a repository on a schedule, using compute resources and possibly AI-provider usage each time new commits are found.
The skill supports recurring background scans through a user-created cron job. This persistence is disclosed and scoped, but it continues until the user disables it.
create a cron job ... `--cron "*/30 * * * *"` ... `--message "Run incremental security scan: python3 <skill-path>/ops/incremental_scan.py --repo <repo-path> ..."`
Only create the cron job for repositories you want continuously monitored, and remove or pause it when no longer needed.