GI Security Audit
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward instruction-only security audit skill with purpose-aligned scan commands that users should review before running.
This skill appears safe as an instruction-only security checklist. Before use, review any suggested pip, npm, or rg commands, run them in the intended project or an isolated environment, and avoid including actual secret values in shared audit reports.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the suggested commands could install packages from an external package index on the user's machine.
The skill suggests installing third-party dependency audit tools without version pins. This is purpose-aligned for vulnerability scanning, but it relies on the package source and changes the local environment.
pip install safety safety check # 或使用 pip-audit pip install pip-audit pip-audit
Run these tools in an isolated virtual environment or approved development environment, and consider pinning or verifying tool versions before installation.
The agent may inspect local code and dependency metadata to find security issues.
The skill documents local command-line scans over project files and dependencies. These commands are central to the stated audit purpose and are not shown with destructive flags, but they should be scoped to the intended repository.
npm audit ... rg -i "password\s*=\s*['\"]|api_key\s*=\s*['\"]|secret\s*=\s*['\"]" --type py
Approve command execution explicitly and run scans only in repositories you intend to audit, avoiding unrelated private directories.