Skillguard
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned, but it uploads audited code to an external API and its optional installer can install a named skill after a safe verdict.
This looks coherent for a security-audit skill. Before using it, be comfortable sending audited source code to api.agentsouls.io, avoid auditing files that contain secrets or proprietary content unless you trust the service, and treat the safe-install wrapper as an installer that can modify your installed skills.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Audited code is shared with an external service; this is disclosed, but local files could contain private source code or embedded secrets if the user selects them.
The script posts the selected skill or local file contents to https://api.agentsouls.io/api/audit for analysis.
response=$(curl -sf -X POST "$API_URL" ... --arg code "$code" --arg source "$source" '{code: $code, source: $source}')Only audit files you are comfortable sending to that provider, and use manual review or self-hosting for highly sensitive code.
Installing a skill can change the agent’s future behavior, and the install decision depends on the external audit verdict unless the user chooses to inspect manually.
The helper installs the user-named skill automatically when the remote audit returns SAFE or LOW_RISK.
SAFE|LOW_RISK) ... echo -e "✅ Skill looks safe. Installing..." ... exec clawhub install "$SKILL"
Review the audit output before relying on the wrapper, and avoid --force unless you already trust the skill being installed.