skill-security-scanner-clean

ReviewAudited by ClawScan on May 10, 2026.

Overview

This appears to be a real local skill-security scanner, but its install guard extracts untrusted .skill archives before validation, which users should review before relying on it as a pre-install safety gate.

Use this only on specific skill folders or sandboxed copies, and be cautious with .skill archive scanning until archive extraction is hardened. The provided artifacts do not show network exfiltration or credential access, but generated reports may contain source-code excerpts, so review before sharing them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A crafted skill archive could affect the local filesystem or consume resources during the pre-install scan, before the scanner has produced a warning.

Why it was flagged

The install guard handles potentially untrusted skill archives by extracting them before scanning, but the provided code does not show validation of archive entries, path constraints, size limits, symlink handling, or cleanup.

Skill content

if skill_path.endswith('.skill'):
        import tempfile
        import zipfile
        
        extract_dir = tempfile.mkdtemp(prefix="skill_scan_")
        with zipfile.ZipFile(skill_path, 'r') as z:
            z.extractall(extract_dir)
        skill_path = extract_dir

Recommendation

Harden archive handling before using this as an install gate: inspect entries first, reject absolute or parent-directory paths and symlinks, enforce file count and size limits, extract in a sandbox, and clean up temporary files.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

If pointed at a large or private directory instead of a specific skill folder, it may inspect many local source files.

Why it was flagged

The scanner recursively reads code-like files under the user-supplied path. This is expected for a security scanner, but it can cover more local files than intended if the path is broad.

Skill content

for ext in ['.py', '.js', '.ts', '.sh', '.bash', '.ps1']:
            for file_path in skill_path.rglob(f'*{ext}'):
                if self._should_scan_file(file_path):
                    self._scan_file(file_path)

Recommendation

Run it on a narrowly scoped skill directory or a sandboxed copy of the skill rather than broad folders such as a home directory or workspace root.

NoteMedium Confidence

ASI06: Memory and Context Poisoning

What this means

Saved or shared scan reports could disclose small excerpts of scanned source files or carry untrusted text from a skill being reviewed.

Why it was flagged

Generated findings include excerpts from scanned files. This is useful for review, but reports may contain snippets of private code, secrets accidentally present in code, or untrusted text from scanned skills.

Skill content

"code_snippet": self.code_snippet[:200] if self.code_snippet else ""

Recommendation

Treat scan reports as sensitive, review them before sharing, and avoid feeding report snippets back into an agent as trusted instructions.