ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agent-bom

v0.76.4

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust across MCP discovery, CVEs, SBOMs, CIS benchmarks...

0· 1.4k·5 current·5 all-time
byAgent Bom@msaad00
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (agentic infrastructure scanner, SBOMs, CIS checks, blast radius) align with the listed behaviors: discovery, scanning, compliance, enforcement, and optional cloud CIS checks. The files it reads (MCP/tool config, SBOMs, IaC) are consistent with discovery and scanning duties.
!
Instruction Scope
The SKILL.md instructs the agent to read many user config files across home and application directories (Claude, Cursor, VS Code, JetBrains, Snowflake, etc.). This is coherent with discovery, but these paths can contain sensitive values (tokens, credentials). The SKILL.md asserts env-var redaction via sanitize_env_vars() and that env values are never extracted, but this bundle contains only instruction documents (no executable code) so that sanitization cannot be verified locally from the package contents provided here.
Install Mechanism
This is an instruction-only skill with no install specification in the bundle, which is lower-risk. The instructions point users to pipx/pip/docker origins and a GitHub/PyPI source; those are plausible well-known channels. No arbitrary download/extract URLs are present in the local manifest.
Credentials
No required env vars or credentials are declared; several cloud-related env vars are listed as optional and justified for optional CIS checks. That is proportionate. However, because the skill wants to read many config files that may contain environment values, the claim that env var values are redacted before processing is a critical control that must be validated in upstream code before trusting the skill.
Persistence & Privilege
The skill does not request permanent presence (always: false). Subcomponents declare restricted autonomous invocation; the enforcement subskill sets disable-model-invocation: true. The skill does write an audit log only when the proxy is explicitly run. No unusual persistence or privilege escalation is requested.
What to consider before installing
This skill appears to do what it says (discovery, scanning, compliance), but it requires reading many local config files that can contain secrets. Before installing or running scans: (1) review the upstream repository code—especially sanitize_env_vars() (the SKILL.md points to a GitHub link) to confirm it actually redacts sensitive values; (2) verify provenance (Sigstore/packaging) and inspect the pip/ghcr artifacts you will install; (3) run scans from an isolated or least-privilege account/VM if possible; (4) decline or avoid running optional cloud CIS checks unless you explicitly consent and understand which credentials will be used; and (5) do not grant autonomous invocation or start the proxy/dashboard without confirming the exact behavior and local network bindings. If you want, provide the linked GitHub files (security.py and discovery/__init__.py) and I can re-evaluate the redaction and file-handling logic.

Like a lobster shell, security has layers — review code before you run it.

ai-supply-chainvk974e040ga81c00z5nmg1vwkp981paz4cvevk974e040ga81c00z5nmg1vwkp981paz4latestvk97cq9evpk4mdrnqxwg3p0cawn84ssdemcpvk974e040ga81c00z5nmg1vwkp981paz4sbomvk974e040ga81c00z5nmg1vwkp981paz4securityvk974e040ga81c00z5nmg1vwkp981paz4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡 Clawdis
OSmacOS · Linux · Windows

Comments