Aura Security Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims: it sends a user-provided skill URL to AURA's API and returns a security verdict, but users should know they are relying on a third-party service and its trust claims.
This skill looks coherent and proportionate for a remote security-scanning tool. Before installing, confirm that you trust the AURA provider/domain, avoid submitting private or token-bearing URLs unless appropriate, and treat 'SAFE' scan results as advisory rather than a guarantee.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you paste a private, signed, or sensitive URL, that URL may be sent to the configured AURA service.
The skill sends the user-provided URL to an external API endpoint, and that endpoint can be changed through an environment variable.
const AURA_API_URL = process.env.AURA_API_URL || 'https://api.aurasecurity.io'; ... body: JSON.stringify({ tool: 'scan-skill', arguments: { skillUrl: request.skillUrl, format: request.format || 'auto', includeRepoTrust: request.includeRepoTrust ?? true } })Only submit skill URLs you are comfortable sharing with the scanner provider, and verify any custom AURA_API_URL setting before use.
Users may over-trust a 'SAFE' or 'AURA Verified' result when deciding whether to install another skill.
The skill presents its remote scan result as an install-safety verdict and verification badge.
| SAFE | 0-20 | No issues found, safe to install | ... Skills with a SAFE verdict can display the AURA Verified badge, showing users they've been scanned and approved.
Treat the scanner's verdict as one input to your decision, and still review permissions, source, and code for high-impact skills.
Users have less registry-level assurance that the listed publisher and external AURA service are the intended provider.
Registry provenance is limited even though the package claims AuraSecurity ownership and points to an external homepage/repository.
Source: unknown; Homepage: none
Verify the publisher, repository, and service domain before relying on this scanner for security decisions.