ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shadows Security Scanner

v1.1.0

7-phase security audit pipeline — reconnaissance, dependency scan, application tests, API security, hardening check, OWASP verification, report. Use before p...

0· 316·0 current·0 all-time
by@nakedoshadow
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description are consistent with the instructions: git is required for history/secret scans; npm/pip/cargo are optional for dependency audits. No unrelated credentials, config paths, or strange binaries are requested.
Instruction Scope
Instructions explicitly run grep across source files, run dependency auditors (which perform network reads), and run git log --all -p to search history. These actions are appropriate for a security audit, but they will read repository content (including any secrets) and may make network requests to vulnerability databases. The SKILL.md warns about only curling user-provided URLs for header checks.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. Risk from installs is low because the skill assumes locally installed standard tools (git, npm, pip, cargo).
Credentials
No environment variables, credentials, or config paths are requested. Optional tools are proportionate to the dependency-audit features. The skill does not request unrelated secrets or keys.
Persistence & Privilege
always: false and no install means no forced or persistent presence. The skill does not attempt to modify other skills or system-wide agent settings.
Assessment
This skill appears coherent for running a repo-focused security audit. Before running it: (1) verify the skill source (registry metadata shows an external homepage in SKILL.md but the package's declared homepage is missing — confirm authenticity); (2) run scans only in the intended repository or an isolated clone to avoid accidentally scanning unrelated files on the machine; (3) be aware dependency auditors (npm audit, pip-audit, cargo-audit) make read-only network calls to vulnerability databases; (4) outputs (git history, grep results) can contain secrets — treat reports carefully and rotate any exposed secrets; (5) if you are uncertain, run the suggested commands manually in a controlled environment first rather than giving the agent autonomous execution access.

Like a lobster shell, security has layers — review code before you run it.

latestvk972jckns304j2mnzqhzccstfn82eqyr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
OSmacOS · Linux · Windows
Binsgit
Any binnpm, pip, pip3, cargo

Comments