Neckr0ik Security Scanner
ReviewAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts show a coherent local security scanner, but users should remember that its reports may include snippets from files, including detected secrets.
This appears safe to use as a local, user-invoked security scanner. Only run it on directories you intend to audit, and protect its output because reports may contain snippets of real secrets found in scanned files. Also verify the exact command or script path before use because the artifacts do not include a full install specification.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the batch mode may read and summarize many locally installed skill files.
The skill can scan all installed OpenClaw skills, which means it reads a broad local skill directory. This is expected for a security audit tool, but users should be aware of the scope.
skill-security-audit audit-all Scans `~/.openclaw/skills/` and reports on all installed skills.
Use single-skill scans when possible, and run audit-all only when you intend to review all installed skills.
Security reports could expose actual credentials found in scanned files if the reports are shared, logged, or committed.
For detected secrets and other vulnerabilities, the scanner includes a source-code snippet in the result. If a real API key or password is found, that secret may appear in terminal, JSON, Markdown, or CI output.
code_snippet=line.strip()[:200]
Treat audit reports as sensitive, avoid publishing raw JSON/Markdown results, and consider redacting detected secret values before sharing.
The documented command may not be automatically installed or may require manual execution of the included Python script.
The skill includes a script and documents CLI-style commands, but the registry metadata does not define an install mechanism. This may make setup and command provenance less clear.
No install spec — this is an instruction-only skill.
Verify how the command is invoked in your environment, and prefer running the included script directly from the reviewed skill directory if needed.