Security Scanner Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
No malware is visible, but the skill advertises 24/7/API automation with little scope and has inconsistent package identity details, so it should be reviewed carefully before use.
Before installing, verify that the package name you install is the intended reviewed skill, and do not allow any 24/7 monitoring unless targets, APIs, permissions, logs, and stop controls are clearly defined. There is no artifact evidence of malware or exfiltration, but the current documentation is too vague for safe unattended use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If interpreted literally, the agent could continue monitoring or making network/API calls beyond a single user-requested scan.
The skill advertises continuous autonomous operation and automatic optimization, but the artifacts do not define user opt-in, target scope, stop conditions, or containment.
- 自动化执行,7x24 小时运行 - 实时监控,自动优化
Only allow continuous monitoring with explicit user approval, defined targets, a schedule, clear stop controls, and documented logging/data handling.
A user copying the documented install command may install or verify a different package than the one under review.
The reviewed registry slug is security-scanner-pro, but the skill frontmatter and install command refer to security-scanner, which creates package identity and provenance ambiguity.
name: security-scanner ... clawhub install security-scanner
Align the registry slug, skill name, README, and install command, and provide a clear source or homepage so users can verify provenance.
The skill may make external requests during scanning, and users are not told where requests go or what data is included.
Network/API access through curl is plausible for a security scanner, but the artifacts do not document destinations, request scope, or approval expectations.
requires: bins: ["curl"] ... - API 集成,支持主流平台
Document the intended APIs, require user-provided targets, and ask before making network calls outside the user’s requested scope.
Users could over-trust or overpay for the skill based on unsupported earnings claims.
The skill includes price and return-on-investment claims that are not substantiated by implementation details, usage data, or evidence in the artifacts.
## 价格:$400 USDC ... - 预期月收益:$800-$((400 * 4)) - 回本周期:1-2 个月
Verify the publisher and functionality independently before paying; the publisher should substantiate or remove revenue claims.