ClawGuard Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for a security-scanning purpose, but users should know it relies on running an external npm/npx scanner and should not treat a clean scan as a complete safety guarantee.
This skill appears appropriate for scanning other OpenClaw skills before installation. Before relying on it, verify the external `clawguard` npm package is the one you intend to run, and remember that a clean scan reduces risk but does not prove a skill is fully safe.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the scanner may fetch and execute external package code on the user's machine.
The skill may install an external npm package globally, and the artifact does not pin a package version. This is aligned with a CLI scanner but depends on the npm package source.
If ClawGuard is not installed, run `npm install -g clawguard` first
Confirm the npm package and repository are the expected ClawGuard project before first use, and prefer a pinned or reviewed version where possible.
A user may over-trust a clean scan even though static pattern checks can miss some unsafe behavior.
The instruction could encourage strong reliance on a clean scanner result, although the artifact also notes that a clean scan does not guarantee absolute safety.
Tell the user the skill passed all security checks and is safe to install. Proceed with the installation.
Treat a pass as a useful signal, not a complete guarantee; review permissions and behavior for high-impact skills before installation.