Shadows Security Scanner
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent security-audit checklist skill that uses read-only local and network checks, but it may surface sensitive secrets during the scan.
This skill appears suitable for security review use, but run it only on projects you are authorized to audit. Be careful with outputs because secret-search commands may print real credentials, and dependency audit commands may contact external vulnerability services.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run local scans and contact vulnerability databases or an explicitly provided URL during an audit.
The skill directs use of local command-line tools and network-capable audit commands. This is expected for a security scanner, and the curl check is explicitly limited to a user-provided target URL.
npm audit --json ... pip audit ... cargo audit ... curl -sI "$TARGET_URL"
Run it only from the intended project directory, review any target URL before use, and understand that dependency metadata may be sent to audit services.
Sensitive credentials may appear in the agent conversation, terminal output, or audit report.
The skill intentionally searches for hardcoded secrets, including .env files, which can expose real tokens or private keys in command output or reports.
grep -rniE "(password|secret|api_key|token|private_key)\s*[:=]..." --include="*.env"
Use this only in trusted workspaces, avoid sharing raw scan output publicly, redact discovered secrets, and rotate any credentials that were exposed.
If users install these optional tools, they are trusting the package manager source and the current package version.
The skill references optional external audit tools installed through package ecosystems. This is purpose-aligned, but the referenced installs are not pinned in the artifact.
# Python — requires pip-audit (pip install pip-audit) ... # Rust — requires cargo-audit (cargo install cargo-audit)
Install audit tools from their official documentation or trusted package indexes, and prefer pinned or verified versions in sensitive environments.