Security Audit by Jason
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned local security scanner, with no evidence of credential use, network transfer, or actual dynamic code execution in the visible artifacts.
This skill appears reasonable as a basic local pre-screen for unfamiliar code. Run it only from the specific project or skill folder you want audited, inspect the complete audit.py before execution, and do not treat a PASS result as a guarantee that the code is safe.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run from the wrong folder, it may inspect many local files and print or save their paths and suspicious-pattern locations.
The script recursively enumerates and reads files under the chosen directory to perform the audit. This is central to the advertised purpose, but it is broad if the user runs it from a home directory or another private location.
for filepath in directory.rglob('*'):Run it only inside the specific downloaded repo, skill, or folder you intend to audit, and review any report before sharing it.
There is no evidence of malicious behavior, but a user cannot fully validate the script from the truncated source shown here.
The provided review view does not include the full audit.py source, so the final entrypoint and output handling cannot be completely verified from these artifacts alone.
"truncated": true
Inspect the complete audit.py from the installed package or registry before making it executable or relying on it.
A user might overtrust a passing result or overreact to a false positive if they treat the heuristic result as definitive.
The skill uses strong PASS/BLOCKED language based on heuristics, but it also discloses its limitations and asks for human judgment.
All checks passed. This resource appears safe to use. ... This is a basic heuristic check, not a full antivirus
Use this as a preliminary static check only; continue manual review and other security checks before running unfamiliar code.