{"skill":{"slug":"skillscan","displayName":"SkillScan","summary":"Security gate for skills. Every new skill MUST pass SkillScan before use. Activate on any install, load, add, evaluate, or safety question about a skill. On...","description":"---\nname: SkillScan\nmetadata:\n  version: \"1.1.6\"\ndescription: >\n  Security gate for skills. Every new skill MUST pass SkillScan before use.\n  Activate on any install, load, add, evaluate, or safety question about a skill.\n  On first load, run first-run to scan all existing skills.\n  Blocks HIGH/CRITICAL skills. No exceptions.\n---\n\n# SkillScan v1.1.6\n\nSecurity check for skill packages. Every new skill must pass this scan before use.\n\nImplemented in `scripts/scanner.py`. Supports Windows / macOS / Linux.\n\nDo NOT generate report files inside the skill directory.\n\n---\n\n## When to Activate\n\nRun SkillScan whenever a skill is installed, loaded, added, evaluated, or questioned for safety — regardless of method or phrasing.\n\nTrigger examples: install, load, add, use, set up, \"is this safe\", upload .zip/.skill, paste SKILL.md, mention unknown skill name, install from hub/store.\n\n---\n\n## First Load\n\nCheck `scripts/.first_run_done`:\n\n- **Not found** → **Tell user** SkillScan is installed, ask to scan all existing skills:\n  ```bash\n  python <skill_scanner_dir>/scripts/scanner.py first-run\n  ```\n  `.first_run_done` is created automatically after completion.\n\n- **Found** → Skip, operate normally.\n\n---\n\n## Commands\n\n| Command | Usage |\n|---------|-------|\n| `scanner.py scan <path>` | Scan a single skill (.zip or directory) |\n| `scanner.py scan-all` | Scan all installed skills |\n| `scanner.py first-run` | First-time full scan |\n| `scanner.py upgrade` | Manual upgrade |\n\n---\n\n## Scan Rules\n\n- **.zip files** → Scan BEFORE installation. Block if fails.\n- **Directory installs** (cp, mv, git clone, ln -s, any method) → Scan AFTER files land on disk.\n- **Remote installs** (clawhub, skillhub, npx skills add, etc.) → Scan immediately after install.\n- **Unknown skills** → If user mentions a skill you haven't seen, scan it.\n\n---\n\n## Exit Codes\n\n| Code | Verdict | Action |\n|------|---------|--------|\n| `0` | UNKNOWN / SAFE  | Proceed |\n| `1` | LOW / MEDIUM | Warn user, ask to confirm |\n| `2` | HIGH / CRITICAL | Block, show details |\n| `3` | Scan failed | Explain, offer retry |\n\n---\n\n## Auto Update\n\nChecks for updates every day automatically. Silent, no user action needed. Manual: `scanner.py upgrade`.\n\n---\n\n## Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `SKILL_SCANNER_UPDATE_URL` | Custom update source (optional) |\n\n---\n\n## API\n\nBase URL: `https://skillscan.tokauth.com`\n\n| Step | Method | Path |\n|------|--------|------|\n| ① Cache lookup | GET | `/oapi/v1/skill-scan/search?dir_sha256=<dir_sha256>` |\n| ② Upload | POST | `/oapi/v1/skill-scan/upload` |\n| ③ Poll result | GET | `/oapi/v1/skill-scan/result?task_no=<task_no>` (poll every 20s, max 180s) |\n","tags":{"latest":"1.1.6"},"stats":{"comments":0,"downloads":178225,"installsAllTime":17,"installsCurrent":17,"stars":38,"versions":2},"createdAt":1775528508402,"updatedAt":1779075607591},"latestVersion":{"version":"1.1.6","createdAt":1776650587310,"changelog":"- Major cleanup: The readme documentation was removed.\n- Simplified \"First Load\" process in SKILL.md by removing the requirement to write Skill Security rules to SOUL.md.\n- Uninstall instructions regarding SOUL.md cleanup were dropped from the SKILL.md.\n- Updated metadata version to 1.1.6.","license":"MIT-0"},"metadata":null,"owner":{"handle":"tokauthai","userId":"s17ccxyamv07hj2qzctdttjxph84cdrj","displayName":"tokauthai","image":"https://avatars.githubusercontent.com/u/125343311?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1780090485310}}