Agent Auditor
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is broadly coherent for auditing a user-selected source directory, but it relies on an unpinned external npm audit package that is not included in the reviewed artifacts.
This appears appropriate for auditing a specific source directory, but verify the external npm packages before running it and avoid pointing it at directories containing secrets or unrelated private files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the npx command may download and execute code that was not included in this review.
The documented primary workflow executes an external npm package without a pinned version or reviewed package contents in the provided artifacts.
npx @claws-shield/cli audit <path-to-source>
Verify the npm package source and version before use, and prefer a pinned, reviewed dependency or lockfile.
The reviewed wrapper is small, but the main audit logic is outside the supplied artifacts.
The included wrapper delegates the core audit behavior to an external package that is not included in the manifest and has no install specification here.
import { runAudit } from "@claws-shield/auditor"Review or pin the @claws-shield/auditor package before trusting audit results or running it on sensitive source code.
If pointed at a sensitive directory, the audit may read files such as source code, configuration files, or accidental secrets.
The skill requests local command execution plus file read/search/write capabilities, which are expected for source-code auditing but still give it access to the selected local project.
allowed-tools: - Bash - Read - Glob - Grep - Write
Invoke it only on directories you intend to audit, and avoid broad home-directory or credential-containing paths.