Vulnerability Scanner
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent source-code vulnerability scanner; it reads user-selected project files and may run npm audit, while the eval/exec static-scan alerts are pattern strings used for detection rather than executed code.
Before installing or running, make sure you only point this scanner at projects you intend to audit. Its secret and config scanning may surface sensitive file names and findings in the agent’s output, and full dependency scans may run npm audit for JavaScript projects.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a broad or sensitive directory, the agent may inspect private source/config files and include file paths, secret types, and vulnerability summaries in its output.
The scanner recursively reads files under the user-supplied project path, limited to code and config extensions, to detect secrets and vulnerable patterns.
for root, dirs, files in os.walk(project_path): ... ext not in CODE_EXTENSIONS and ext not in CONFIG_EXTENSIONS
Run it only on intended project directories and review outputs before sharing them.
Running the full scan may execute the local npm CLI in the selected project and may depend on the user’s npm configuration and network behavior.
The script runs a fixed npm audit command when a package.json is present. This is aligned with dependency vulnerability scanning and is not hidden, but it is still local command execution.
subprocess.run(["npm", "audit", "--json"], cwd=project_path, capture_output=True, text=True, timeout=60)
Use the script in projects you intend to audit, and be aware that npm audit may contact npm services with dependency metadata.
Users have less provenance information to verify the script’s origin, and environments without npm may silently skip npm audit checks.
The skill has no public source/homepage metadata, and the metadata does not declare npm even though the script can optionally use npm audit.
Source: unknown; Homepage: none; Required binaries: none
Review the included script before use and treat npm audit as an optional dependency for JavaScript projects.