skill-prescan
PassAudited by ClawScan on May 7, 2026.
Overview
This skill appears purpose-aligned, but users should know it sends the SKILL.md being scanned to an external LLM service using a provider API key.
Before installing, be comfortable that this tool sends the SKILL.md you choose to scan to an LLM provider using your API key. Avoid scanning files that contain secrets, and only use trusted API endpoints.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires giving it access to an LLM provider account or gateway through an API key.
The skill requires a provider credential to call an LLM service. This is expected for the stated scanning purpose, but users should provide only a trusted, appropriately scoped API key.
An OpenAI API key (or any OpenAI-compatible API)
Prefer environment variables over command-line key arguments where possible, use a limited-scope key if the provider supports it, and do not use untrusted API gateways.
Any sensitive information accidentally included in the SKILL.md may be sent to the chosen LLM provider or custom endpoint.
The skill transmits the file being reviewed to an external model provider. This is clearly disclosed and purpose-aligned, but it is a data boundary users should notice.
The scanner sends your SKILL.md content to an LLM
Remove secrets or private information from the SKILL.md before scanning, and use only trusted providers or gateways.