Vet Repo
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a user-invoked local repository scanner, with no evidence of network exfiltration, credential use, persistence, or destructive actions, but it does run bundled Python code from an unknown source.
This skill looks coherent for its stated purpose. Treat it like any local security tool: run it only on directories you choose, remember that its output may include snippets from scanned repo files, and review the full installed scripts—especially the pattern database—if you need high assurance because the provided patterns.py artifact is truncated.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes its included Python scanner against the selected project directory.
The skill authorizes Bash and asks the user/agent to run a local Python scanner. That is central to the stated purpose and is user-directed, but users should still understand that bundled code will execute locally.
allowed-tools: Read, Glob, Grep, Bash ... python3 "$SKILL_DIR/scripts/vet_repo.py" "$PROJECT_ROOT"
Only run it in repositories you intend to scan, and review the bundled scripts if you do not trust the publisher.
It may be harder to verify where the code came from or whether the installed script matches an upstream project.
The skill has limited provenance metadata and no install spec, even though it includes runnable scripts and the SKILL.md expects python3 to be available.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Prefer installing from a trusted publisher or compare the installed scripts with a known source before relying on the scanner.