Skill-Scanner-Pro

The skill's code, documentation, and runtime instructions are consistent with a local static scanner for agent skills; it does not request credentials or install remote binaries, though there are minor provenance/metadata issues and normal scanner caveats to consider before running.

This package appears to be a straightforward local static scanner and UI for auditing Clawdbot/MCP skills. Before installing or running it: 1) Verify the source — confirm the GitHub repository and registry owner match and review the full repo for unexpected network calls or shell execution (the README points to a GitHub repo whose owner differs from the registry owner). 2) Run the scanner on copies of skill folders in an isolated environment (container or VM), not as root, particularly when scanning untrusted skills. 3) Expect false positives (patterns like '.env' or credential path mentions will be flagged) — review findings manually. 4) If you use the Streamlit UI, install streamlit in a controlled environment; the UI writes uploaded files to a temporary directory. 5) If you need higher assurance, review the full, untruncated source for any hidden network access or subprocess execution before trusting it with sensitive directories.