ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cisco AI Skill Scanner

v1.0.1

Scan agent skills for security threats using the Cisco AI skill-scanner CLI. Triggers on: scan skill for security, check skill safety, audit skill code, skil...

0· 39·0 current·0 all-time
byDewaldt Huysamen@godsboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (skill-scanner), example commands, and the included wrapper script all directly implement a skill-scanner. Required resources (skill-scanner binary, optional LLM API key) are appropriate for the stated purpose.
Instruction Scope
SKILL.md and scripts/scan.sh limit actions to scanning skill directories, invoking the skill-scanner CLI, and optionally calling an external LLM provider when an API key is supplied. There are no instructions to read unrelated system credentials, exfiltrate data to unknown endpoints, or modify unrelated system configuration.
Install Mechanism
There is no platform-level install spec in the registry (instruction-only), but SKILL.md documents installing via pip (pip install cisco-ai-skill-scanner). Installing from PyPI is a common method; verify the pip package source/reputation before installing. The documented flag --break-system-packages is potentially impactful on some systems and should be used cautiously.
Credentials
No required environment variables are declared. The only environment usage is optional: ANTHROPIC_API_KEY or SKILL_SCANNER_LLM_API_KEY for LLM-powered analysis — this is proportionate to the advertised 'use-llm' feature and is clearly documented.
Persistence & Privilege
Skill is not always-enabled, does not request persistent system-wide privileges, and the included script does not modify other skills or global agent configuration. Autonomous invocation defaults are unchanged (normal).
Assessment
This skill appears coherent with its stated purpose, but review the following before installing: 1) Confirm you trust the pip package 'cisco-ai-skill-scanner' (inspect its GitHub repo/release artifacts) — installing packages from PyPI can execute code on your machine. 2) If you enable LLM analysis, scanned skill contents will be sent to the chosen LLM provider (e.g., Anthropic) — do not send sensitive secrets or private keys to external APIs. 3) The documented pip flag (--break-system-packages) can affect system package isolation; prefer using a virtual environment or container for installation. 4) Run the scanner in an isolated environment when first evaluating untrusted skills and review its output to confirm no unexpected network destinations or behaviors.

Like a lobster shell, security has layers — review code before you run it.

latestvk979tqccpx36bp8dns6q2w0md183x74d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsskill-scanner

Comments