clawsec-feed
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a security advisory feed with documented install/update instructions; the main thing to review is its remote-download installation flow and how advisory data may influence your agent.
This skill looks appropriate for a security advisory feed. Before installing, verify the Prompt Security GitHub release and checksums, run the shell commands only with explicit approval, and treat feed advisories as prompts for review rather than automatic instructions to change or remove software.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing from the latest remote release means the installed content depends on the current upstream release and GitHub availability/integrity.
The standalone install flow fetches the latest release metadata and artifacts from GitHub rather than using a pinned local artifact. The instructions also include checksum validation and provenance warnings, so this is a disclosed supply-chain consideration rather than suspicious behavior.
LATEST_TAG=$(curl -sSL --retry 3 --retry-delay 1 https://api.github.com/repos/prompt-security/ClawSec/releases | jq -r '[.[] | select(.tag_name | startswith("clawsec-feed-v"))][0].tag_name')Review the release source, confirm checksums from a trusted channel, and consider pinning a known version when installing on sensitive systems.
A user or agent following the standalone install instructions will run local shell commands and write files under the OpenClaw skills directory.
The skill documents shell-based setup commands for downloading, verifying, and extracting the package. These commands are user-directed and central to standalone installation, with no evidence of hidden automatic execution.
Required runtime for standalone installation: `bash`, `curl`, `jq`, `shasum`, `unzip`
Run the install steps manually or with explicit approval, review the downloaded artifact before installing, and avoid running the commands with elevated privileges unless necessary.
Advisory entries may influence what your agent recommends about vulnerabilities, updates, or removing skills.
The package provides external advisory data intended for AI agents to consume and act on. That is the stated purpose, but community-driven security content should be treated as advisory context, not unquestioned authority.
**Community-Driven** - Advisories contributed and reviewed by the security community
Use the feed as a signal, but verify important advisories against the linked references or trusted vendor sources before making disruptive changes.