skill-prescan
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: skill-prescan Version: 1.0.0 The skill is a security utility designed to locally simulate the ClawHub security review process for other skills. The core logic in `scripts/scan.py` uses standard Python libraries to send the content of a SKILL.md file to an LLM provider (OpenAI or Anthropic) for analysis. While it handles sensitive API keys, it does so through standard authorization headers to the user-specified endpoints and shows no evidence of data exfiltration, unauthorized code execution, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill requires giving it access to an LLM provider account or gateway through an API key.
The skill requires a provider credential to call an LLM service. This is expected for the stated scanning purpose, but users should provide only a trusted, appropriately scoped API key.
An OpenAI API key (or any OpenAI-compatible API)
Prefer environment variables over command-line key arguments where possible, use a limited-scope key if the provider supports it, and do not use untrusted API gateways.
Any sensitive information accidentally included in the SKILL.md may be sent to the chosen LLM provider or custom endpoint.
The skill transmits the file being reviewed to an external model provider. This is clearly disclosed and purpose-aligned, but it is a data boundary users should notice.
The scanner sends your SKILL.md content to an LLM
Remove secrets or private information from the SKILL.md before scanning, and use only trusted providers or gateways.