ClawHub
Back to skill
v1.0.0

Dep Vuln Scanner

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:54 AM.

Analysis

This dependency scanner appears coherent and purpose-aligned, with the main thing to notice being that it sends package names and versions to OSV.dev for vulnerability lookup.

GuidanceThis skill is reasonable for checking project dependencies against known vulnerabilities. Before installing or using it, make sure you are comfortable sharing dependency names and versions with OSV.dev, especially for private projects, and confirm Python 3 is available.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
python3 scripts/dep_vuln_scan.py .

The documented usage depends on a local Python 3 runtime, while the registry requirements list no required binaries. This is an under-declared environment requirement, not evidence of malicious behavior.

User impactThe skill may fail or behave differently on systems without Python 3 available.
RecommendationConfirm Python 3 is installed before using the skill; no additional package installation is indicated.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/dep_vuln_scan.py
url = "https://api.osv.dev/v1/query" ... payload = {"package": {"name": package_name, "ecosystem": ecosystem}} ... payload["version"] = version

The scanner sends package names, ecosystems, and versions to OSV.dev. This is expected for the stated vulnerability-checking purpose, but it is still an external data flow.

User impactA private project's dependency list could be shared with OSV.dev during scanning.
RecommendationUse the skill only where sending dependency metadata to OSV.dev is acceptable under your project or organization policy.