Evez Skill Vetter
PassAudited by ClawScan on May 12, 2026.
Overview
This appears to be a local skill-scanning tool, and the exec/eval alerts are scanner signatures rather than executed code, but its safety scores should be treated as a rough aid rather than a guarantee.
This skill is reasonable to use as a local, user-invoked scanner, but keep its scope narrow and do not rely on its score as a complete security decision. Be aware that the documented --slug workflow appears unimplemented and that the script may need the click Python package to run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong folder, the tool may inspect many local files, although the provided code does not send them anywhere.
The scanner recursively reads files under the user-supplied path. This is expected for local static analysis, but it becomes broader than intended if the user points it at a large or private directory.
for filepath in self.skill_path.rglob("*"):
... content = filepath.read_text(encoding="utf-8", errors="ignore")Run it only on the specific skill directory or a copied review folder, not on broad locations such as a home directory.
The command may fail unless click is already installed, and users may need to decide how to obtain that dependency.
The script depends on the external Python package click, but the provided install metadata has no install spec or dependency declaration.
if __name__ == "__main__":
import clickInstall any missing dependency only from a trusted package source, or ask the publisher to declare runtime dependencies explicitly.
A low score from this tool should not be treated as proof that a third-party skill is safe.
The documentation uses strong assurance language for a score produced by a simple static pattern scanner. This is not malicious, but it could cause users to over-trust a low score.
0-20: ✅ Safe — install freely
Use the vetter as an initial linting aid and still review permissions, code behavior, provenance, and any external dependencies manually.