x-osv
PassAudited by ClawScan on May 1, 2026.
Overview
This skill provides disclosed OSV vulnerability lookup and local project scanning commands, with the main caution being its reliance on external tools.
This appears safe for its stated purpose. Before installing, make sure x-cmd and osv-scanner come from trusted sources, and only scan directories or lockfiles you intend to analyze.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing external tools can add code to the local environment, so the user should trust the install source.
The skill relies on external tooling that is not included in the artifact. This is purpose-aligned for an x-cmd OSV wrapper, but users should verify the provenance of those tools.
**Dependency**: This is an x-cmd module. Install x-cmd first ... **Required Tool**: Install osv-scanner for project scanning
Install x-cmd and osv-scanner only from their official or trusted package sources, and review their versions if used in sensitive environments.
If run on a broad or unintended path, the scan may inspect more project metadata than intended.
The skill documents commands that scan local project paths. This is expected for vulnerability scanning, but it means the agent or user may cause local dependency files to be inspected.
`x osv scanner <path>` | Scan project for vulnerabilities
Run scans only against intended project directories or specific lockfiles, especially in repositories containing private dependency information.