Skill Vetter — Security Audit for AI Skills
PassAudited by ClawScan on May 3, 2026.
Overview
This is an instruction-only security checklist with no code or credential access, though users should verify its provenance and review the optional GitHub command examples before use.
This skill is safe to treat as a checklist-style aid, but do not treat its verdicts as authoritative on their own. Verify the publisher/source, and only run the example GitHub commands when you intentionally want the agent to inspect that repository.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the examples are used, the agent may contact GitHub and retrieve repository metadata or files for review.
The skill documents shell commands that call GitHub APIs and fetch remote SKILL.md files. This is aligned with vetting GitHub-hosted skills, but users should recognize these commands perform network access if run.
curl -s "https://api.github.com/repos/OWNER/REPO" | jq ...
Use these commands only for repositories you intend to inspect, keep placeholders properly scoped, and review fetched content before acting on it.
The package appears instruction-only, but the publisher identity should be confirmed before relying on it as a security-review authority.
The packaged metadata differs from the registry metadata shown in the submission, which lists a different owner ID and slug. This is a provenance consistency note, not evidence of malicious behavior.
"ownerId": "kn71j6xbmpwfvx4c6y1ez8cd718081mg", "slug": "skill-vetter"
Verify the registry entry and publisher/source before installation, especially because the skill is intended to guide security decisions.