Security code review
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill bundle is benign. The `SKILL.md` file, which contains instructions for the AI agent, explicitly restricts the agent to read-only operations using tools like `ls -R`, `grep`, and `read-file` for security analysis. It also clearly states that the agent MUST NOT write, modify, or delete any files during analysis. The instructions focus on identifying common security vulnerabilities and LLM safety issues, rather than exploiting or creating them, and emphasize high-fidelity, actionable reporting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked for a security review, the agent may inspect relevant files in the repository to find vulnerabilities.
The skill authorizes local command-line and file-reading activity, which is sensitive because it can inspect a user's codebase. The instructions are purpose-aligned and constrained to read-only review.
You are permitted to use the command line to understand the repository structure... You MUST only use read-only tools like `ls -R`, `grep`, and `read-file` for the security analysis.
Use the skill only on repositories you want reviewed, and review any generated report before sharing it outside your environment.
A security report file may be created in the project workspace, potentially containing vulnerability details from the reviewed code.
The skill may write review artifacts to the workspace when analysis output is requested. This is disclosed and scoped to a dedicated directory.
Artifacts created during security analysis should be stored in a `.shield_security/` directory in the user's workspace.
Check the .shield_security/ directory after use and treat generated reports as potentially sensitive project-security information.