Vulnerability Scanner
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vulnerability-scanner Version: 1.0.0 The OpenClaw skill 'vulnerability-scanner' is classified as benign. The `SKILL.md` provides detailed, legitimate instructions for a security scanner and contains no prompt injection attempts. The core script `scripts/security_scan.py` correctly implements the stated purpose, performing static analysis for secrets, dangerous code patterns, and configuration issues within a specified project path. It uses `subprocess.run` to execute `npm audit`, which is a standard security tool, and reads files only within the designated project directory. There is no evidence of data exfiltration, unauthorized system modification, or malicious execution beyond its stated function of identifying vulnerabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a broad or sensitive directory, the agent may inspect private source/config files and include file paths, secret types, and vulnerability summaries in its output.
The scanner recursively reads files under the user-supplied project path, limited to code and config extensions, to detect secrets and vulnerable patterns.
for root, dirs, files in os.walk(project_path): ... ext not in CODE_EXTENSIONS and ext not in CONFIG_EXTENSIONS
Run it only on intended project directories and review outputs before sharing them.
Running the full scan may execute the local npm CLI in the selected project and may depend on the user’s npm configuration and network behavior.
The script runs a fixed npm audit command when a package.json is present. This is aligned with dependency vulnerability scanning and is not hidden, but it is still local command execution.
subprocess.run(["npm", "audit", "--json"], cwd=project_path, capture_output=True, text=True, timeout=60)
Use the script in projects you intend to audit, and be aware that npm audit may contact npm services with dependency metadata.
Users have less provenance information to verify the script’s origin, and environments without npm may silently skip npm audit checks.
The skill has no public source/homepage metadata, and the metadata does not declare npm even though the script can optionally use npm audit.
Source: unknown; Homepage: none; Required binaries: none
Review the included script before use and treat npm audit as an optional dependency for JavaScript projects.