Snyk Vulnerability Scanner
v1.0.0Automates Snyk security vulnerability scanning, GitHub issue reporting, and auto-fix PR creation for repositories. Use when scanning repositories for securit...
⭐ 0· 65·0 current·0 all-time
by@cr0m3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts: scanning with Snyk, creating issues via gh, and creating PRs after applying fixes. The files and runtime requirements are proportional and expected for this functionality.
Instruction Scope
SKILL.md and the scripts limit actions to cloning the target repo, running snyk, creating GitHub issues, and creating/pushing a fix branch/PR. The scripts reference only expected CLIs (git, snyk, gh, jq, python3) and temporary paths; they do not read unrelated system files or post data to unknown endpoints.
Install Mechanism
No install spec is provided (instruction-only install), and the code files are standard scripts. Nothing is downloaded from arbitrary URLs or written into unusual system locations.
Credentials
The skill does not declare environment variables but requires local CLI authentication for Snyk and GitHub and expects git credentials / repo write access. This is coherent with the purpose, but users must supply and manage credentials (gh auth, snyk auth, or git remote credentials) outside the skill; ensure those credentials have appropriate scopes.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide agent settings. It will create branches/PRs and push to origin (requires repository write access), which is expected behavior for auto-fix functionality.
Assessment
This skill appears to do exactly what it claims: run Snyk scans, create GitHub issues, and open auto-fix PRs. Before using it: (1) ensure you have the Snyk CLI and GitHub CLI installed and authenticated locally (gh auth, snyk auth); (2) run with dry-run first to inspect what changes would be made; (3) note the scripts clone and push branches—only use with repos you trust and where the auth tokens have minimal necessary scope (repo write only); (4) review the included scripts for any policy you want to enforce (commit author/email, branch names, labels); and (5) if you plan to schedule automated runs, restrict which repo URLs the cron job uses and monitor generated PRs/issues.Like a lobster shell, security has layers — review code before you run it.
automationvk972cbe1xaqekxftmeazc4cb7583nyfhgithubvk972cbe1xaqekxftmeazc4cb7583nyfhlatestvk972cbe1xaqekxftmeazc4cb7583nyfhsecurityvk972cbe1xaqekxftmeazc4cb7583nyfhsnykvk972cbe1xaqekxftmeazc4cb7583nyfhvulnerabilityvk972cbe1xaqekxftmeazc4cb7583nyfh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.