Security Skill Scanner
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a security tool, but it ships only documentation while recommending install-control hooks and optional persistent jobs that depend on helper scripts not present for review.
Before installing, verify that the referenced Python and shell scripts actually come from the trusted project and inspect what they do. Do not add the molthub shell wrapper or cron jobs until you are comfortable letting this tool affect all future skill installs and run on a schedule.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think they are installing a working security scanner, but the code that would make security decisions is absent from the reviewed artifacts.
SKILL.md documents local helper files, but the supplied artifact set says there are no code files and this is an instruction-only skill. The scanner and hook implementation are therefore not reviewable from the package.
`skill-scanner.py` | Main scanner with regex pattern detection ... `whitelist-manager.py` ... `moltbook-monitor.sh` ... `permission-manager.py`
Do not run the referenced scripts or rely on the scanner until the actual code is obtained from a trusted source and reviewed.
Skill installation decisions could be controlled by unreviewed code, potentially blocking valid installs or allowing unsafe ones.
This shell-profile wrapper would intercept skill installation commands and delegate them to an unprovided hook script that can affect whether skills are installed.
molthub() { if [ "$1" = "install" ] || [ "$1" = "add" ]; then python3 /root/clawd/skills/security-skill-scanner/install-hook.py "$2" --interactiveDo not add the shell wrapper until install-hook.py is present, trusted, and confirmed to require clear user approval for install, block, and force actions.
If configured, the scanner and monitor would keep running on a schedule and write logs even after the original task is done.
The cron examples create recurring background execution, but they are marked optional and are disclosed to the user.
# Daily skill scan at 4 AM 0 4 * * * python3 /root/clawd/skills/security-skill-scanner/skill-scanner.py ... # Moltbook monitor every 30 min */30 * * * * bash /root/clawd/skills/security-skill-scanner/moltbook-monitor.sh
Only schedule cron jobs after reviewing the scripts, and prefer user-scoped log paths unless system-level logging is necessary.