ClawHub

Vulnerability Scanner

v1.0.0

Performs static analysis for OWASP 2025 risks, supply chain threats, secrets detection, code patterns, and prioritizes vulnerabilities by exploitability and...

0· 1.2k·7 current·7 all-time
by@brandonwise
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (vulnerability scanning, OWASP/supply-chain/secrets) match the included SKILL.md and the provided Python scanner script; no unrelated environment variables, binaries, or external credentials are requested.
Instruction Scope
SKILL.md instructs running the included script against a project path. The script legitimately reads project files (code/config) and runs local checks. It also invokes subprocesses (e.g., 'npm audit' when package.json exists) which may contact package registries — expected for dependency scanning but worth noting since it can reach the network and produce potentially sensitive output (e.g., detected secrets).
Install Mechanism
No install specification — instruction-only skill with a bundled script. Nothing is downloaded or written by an installer step.
Credentials
The skill declares no required env vars or credentials. The scanner searches files for secrets and patterns, which is appropriate for its stated purpose. There are no requests for unrelated service credentials or config paths.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill does not request persistent system-wide privileges or modify other skills' configs.
Assessment
This package appears to be a normal, self-contained source-code vulnerability scanner. Before running it: (1) run it on a copy of the target repository (not on a sensitive production directory), (2) be aware that it will read many files and may report secrets — treat reported results carefully, and do not leak findings to public outputs, (3) npm audit may contact the network/registry if package.json exists, so run in an environment where network activity is acceptable, (4) inspect the included script yourself if you have concerns (it uses subprocess.run and file I/O), and (5) run scans with least privilege or in an isolated container if you want to limit side effects.

Like a lobster shell, security has layers — review code before you run it.

latestvk977azwx6q6ya6kddqhhv9hws1818rpv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments