skill-prescan
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires giving it access to an LLM provider account or gateway through an API key.
The skill requires a provider credential to call an LLM service. This is expected for the stated scanning purpose, but users should provide only a trusted, appropriately scoped API key.
An OpenAI API key (or any OpenAI-compatible API)
Prefer environment variables over command-line key arguments where possible, use a limited-scope key if the provider supports it, and do not use untrusted API gateways.
Any sensitive information accidentally included in the SKILL.md may be sent to the chosen LLM provider or custom endpoint.
The skill transmits the file being reviewed to an external model provider. This is clearly disclosed and purpose-aligned, but it is a data boundary users should notice.
The scanner sends your SKILL.md content to an LLM
Remove secrets or private information from the SKILL.md before scanning, and use only trusted providers or gateways.