Agentic Security Audit
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts describe a documentation-only security audit toolkit with purpose-aligned commands, but users should handle secret-scan output and audit-fix commands carefully.
Use this only in repositories you intend to audit. Review each command before running it, run dependency fixes on a branch, avoid sharing raw secret-scan output, and verify the publisher/source because the packaged metadata does not fully match the registry metadata.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands may change dependencies or lockfiles in the project.
These are documented, user-directed audit-fix commands that can modify dependency files or installed packages. That is aligned with a security-audit/fix skill, but it is still a meaningful local mutation.
# Fix automatically where possible npm audit fix ... # With fix suggestions cargo audit fix
Run fix commands only on a branch or backup, review diffs afterward, and avoid letting an agent apply fixes without explicit confirmation.
Secret values could become visible in chat logs, terminal scrollback, or audit reports if results are not redacted.
The skill intentionally searches current files and git history for credentials. This is purpose-aligned, but matching secrets may be printed into the terminal or agent conversation.
grep -rn 'AKIA[0-9A-Z]\\{16\\}' ... .
...
git log -p --all | grep -n -i 'api.key\\|password\\|secret\\|token' | head -50Run secret scans in a trusted environment, redact findings before sharing them, and rotate any real secrets that appear in output.
Users may have less certainty that the registry entry and packaged metadata refer to the same original skill identity.
The supplied registry metadata lists a different owner ID and slug for the evaluated skill. This looks like a provenance or packaging inconsistency, not malicious behavior by itself.
"ownerId": "kn7f6g2r31qsb1ts8cf5x7rpk180fn9j", "slug": "security-audit-toolkit"
Verify the publisher and full source before trusting the skill for sensitive audits.
Future commits in that repository may be blocked until the hook is edited or removed.
The pre-commit hook example would keep affecting future commits if the user installs it. It is clearly presented as a hook for secret prevention and is purpose-aligned.
# .git/hooks/pre-commit - Block commits containing potential secrets ... EXIT_CODE=1 ... exit $EXIT_CODE
Install the hook only intentionally, keep a copy of the script, and remove or adjust it if it blocks legitimate commits.