Security code review
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only security review skill appears purpose-aligned and constrained; the detected “secret” is a vulnerable-code example, not evidence of a real credential.
This looks safe to install as an instruction-only security-review skill. Expect it to read relevant source files during an audit and possibly create a local .shield_security/ report if requested. Do not share generated reports publicly without reviewing them, because they may describe real vulnerabilities in your code.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked for a security review, the agent may inspect relevant files in the repository to find vulnerabilities.
The skill authorizes local command-line and file-reading activity, which is sensitive because it can inspect a user's codebase. The instructions are purpose-aligned and constrained to read-only review.
You are permitted to use the command line to understand the repository structure... You MUST only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.
Use the skill only on repositories you want reviewed, and review any generated report before sharing it outside your environment.
A security report file may be created in the project workspace, potentially containing vulnerability details from the reviewed code.
The skill may write review artifacts to the workspace when analysis output is requested. This is disclosed and scoped to a dedicated directory.
Artifacts created during security analysis should be stored in a `.shield_security/` directory in the user's workspace.
Check the .shield_security/ directory after use and treat generated reports as potentially sensitive project-security information.