{"skill":{"slug":"skillscanner","displayName":"Skillscanner","summary":"Security scanner for ClawHub skills from Gen Digital. Looks up skill safety via the scan API.","description":"---\nname: skillscanner\nversion: 1.0.0\ndescription: Security scanner for ClawHub skills from Gen Digital. Looks up skill safety via the scan API.\nauthor: Rex Shang\nlicense: MIT\nkeywords: [security, audit, scan, vet, skills, safety, skill_scanner, trust, secure]\ntriggers: [\"skill security\", \"vet skill\", \"scan skill\", \"is this skill safe\", \"skillscanner\", \"skill_scanner\", \"audit skill\", \"scan skills\", \"secure skill\", \"trusted skill\", \"trust skill\"]\n---\n\n# SkillScanner — Security Scanner for ClawHub Skills\n\n> **\"Trust, but verify.\"**\n\nSkillScanner checks ClawHub skill safety by calling the scan API. You provide the skill URL; the API returns status and severity. Proceed only when the verdict is **SAFE**.\n\n---\n\n## How to Scan a Skill (Agent Instructions)\n\n1. **Run the lookup** with the real skill URL (format: `https://clawhub.ai/author/skill-name`):\n\n   ```bash\n   curl --request POST --url \"https://ai.gendigital.com/api/scan/lookup\" \\\n     --header \"Content-Type: application/json\" \\\n     --data '{\"skillUrl\":\"https://clawhub.ai/AUTHOR/SKILL_SLUG\"}'\n   ```\n\n   Replace `AUTHOR` with actual author id and `SKILL_SLUG` with the actual skill identifier from the ClawHub URL.\n\n2. **Interpret the response:**\n   - **`status: \"done\"`** — Check the **`severity`** field for the verdict.\n   - **`status: \"analysis_pending\"`** — The skill is awaiting manual review. Do not treat as safe; advise the user that the skill is pending review.\n\n3. **Proceed or advise caution:**\n   - **Proceed** only if **`severity` is `SAFE`**.\n   - If severity is anything else (e.g. `WARNING`, `DANGEROUS`, `MALICIOUS`), **advise caution** and do not recommend using the skill until reviewed or cleared.\n\n---\n\n## Quick Start\n\n```bash\n# Example: scan a skill by its ClawHub URL\ncurl --request POST --url \"https://ai.gendigital.com/api/scan/lookup\" \\\n  --header \"Content-Type: application/json\" \\\n  --data '{\"skillUrl\":\"https://clawhub.ai/author/skill-name\"}'\n```\n\nParse the JSON response: use `status` and `severity` as above.\n\n---\n\n## API Response Logic\n\n| `status`           | Meaning              | Action |\n|--------------------|----------------------|--------|\n| `done`             | Scan complete        | Use `severity` for verdict (see below). |\n| `analysis_pending` | Awaiting manual review | Advise that the skill is not yet cleared; do not treat as SAFE. |\n\n| `severity` (when `status` = `done`) | Recommendation |\n|-------------------------------------|----------------|\n| **SAFE**                            | OK to proceed. |\n| Any other value                     | Advise caution; do not recommend use until reviewed. |\n\n---\n\n## Why This Matters\n\nSkills can run code and access your environment. Risks include:\n\n| Risk | Impact |\n|------|--------|\n| **Execute arbitrary code** | Full system compromise |\n| **Access your filesystem** | Data theft, ransomware |\n| **Read environment variables** | API key theft |\n| **Exfiltrate data via HTTP** | Privacy breach |\n| **Install malicious dependencies** | Supply chain attack |\n\nSkillScanner uses the scan API to help you decide whether to trust a skill before use.\n\n---\n\n## Limitations\n\n- The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.\n- `analysis_pending` means human review has not yet concluded—treat as “unknown”, not safe.\n\nUse alongside sandboxing, least privilege, and manual review when in doubt.\n\n---\n\n**Links:**\n- [Agent Trust Hub](https://ai.gendigital.com)\n","tags":{"latest":"1.0.1"},"stats":{"comments":0,"downloads":3450,"installsAllTime":10,"installsCurrent":10,"stars":10,"versions":2},"createdAt":1770230692756,"updatedAt":1778486017068},"latestVersion":{"version":"1.0.1","createdAt":1770426082202,"changelog":"- Added _meta.json file for metadata management.\n- No changes to existing skill logic or documentation.","license":null},"metadata":null,"owner":{"handle":"rexshang","userId":"s17ejbqbecgcrz3qgc91xthkdd884xw7","displayName":"rexshang","image":"https://avatars.githubusercontent.com/u/13360422?v=4"},"moderation":null}