Network Scanner
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its network-scanning purpose, but its script builds shell commands from user/configured inputs and has gaps in the promised scan-safety checks.
Review or patch the script before installing. If you use it, scan only networks you control, avoid untrusted CIDR or DNS values, prefer --no-sudo when possible, and add strict size and input validation before letting an agent invoke it automatically.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted DNS server or target value could cause the agent to run commands on the user's machine instead of only scanning the network.
The script runs shell commands and directly interpolates DNS server and CIDR values that the SKILL.md documents as user/configurable inputs. Shell metacharacters in those values could execute unintended local commands.
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
...
cmd += f" @{dns_server}"
...
nmap_cmd = f"{sudo}nmap -sn -oX - {cidr} 2>/dev/null"Replace shell=True with argument lists, validate DNS/CIDR values with ipaddress or equivalent parsing, and reject values containing shell syntax.
The scanner could accidentally attempt broader scans than expected or hang/crash on very large network ranges.
The advertised public-network protection checks only the first host rather than the whole CIDR and materializes all hosts before blocking. Unusual or very large CIDRs could bypass intended bounds or consume excessive resources.
network = ipaddress.ip_network(cidr, strict=False) # Get first host IP (skip network address) test_ip = str(list(network.hosts())[0]) if network.num_addresses > 1 else str(network.network_address) ... if not test_ip_obj.is_private:
Validate the entire target network, cap allowed CIDR sizes, avoid list(network.hosts()), and require explicit confirmation for large or configured-trusted ranges.
Running scans with sudo may expose more local network information and can increase harm if command handling is abused.
Elevated privileges are disclosed and are purpose-aligned for ARP/MAC discovery, but they increase the impact of mistakes or unsafe command construction.
- `sudo` access recommended for MAC address discovery
Use --no-sudo unless MAC addresses are needed, and only run sudo scans for networks you own or administer.