OSV Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a normal vulnerability scanner, but it sends package/version information to Google OSV and can run local package-listing commands when used in OS-scan mode.
Before installing, make sure you are comfortable sharing scanned package names and versions with Google OSV. Run it in a virtual environment, consider pinning the Python dependencies, and use OS-scan mode only on systems you intend to inventory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Google OSV can receive a list of the packages and versions being scanned, which may reveal details about a project or system.
The scanner sends package names, ecosystems, and versions to https://api.osv.dev/v1/query. This is disclosed and central to vulnerability scanning, but it means dependency or OS package inventory is shared with an external provider.
payload = {"version": version, "package": {"name": name, "ecosystem": ecosystem}} ... requests.post(url, json=payload)Only scan projects or hosts where sharing package/version inventory with OSV is acceptable; use a private or offline scanner for sensitive environments.
Running the OS mode lets the scanner inspect the machine’s installed package list.
In OS-scan mode, the script runs fixed local shell commands to detect the Linux distribution and list installed packages. The commands are not built from user-controlled input and are purpose-aligned, but they are still local command execution.
subprocess.run("lsb_release -a | grep 'Distributor ID' | awk '{print $3}'", shell=True, ...); subprocess.run("dpkg-query -W -f='${binary:Package} ${Version}\\n'", shell=True, ...)Use the OS-scan mode only on machines you intend to inventory, and review the command before running `python3 scanner.py os`.
Future installs may pull different dependency versions, which can affect reproducibility or inherit upstream package risk.
The setup instructions install dependencies without pinned versions or a lockfile. This is normal for a small Python utility, but it relies on whatever package versions are available from the package index at install time.
pip install requests openpyxl
Install in a virtual environment and consider using pinned versions or a reviewed requirements file before relying on the scanner.