Skill Vetter — Security Audit for AI Skills
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the examples are used, the agent may contact GitHub and retrieve repository metadata or files for review.
The skill documents shell commands that call GitHub APIs and fetch remote SKILL.md files. This is aligned with vetting GitHub-hosted skills, but users should recognize these commands perform network access if run.
curl -s "https://api.github.com/repos/OWNER/REPO" | jq ...
Use these commands only for repositories you intend to inspect, keep placeholders properly scoped, and review fetched content before acting on it.
The package appears instruction-only, but the publisher identity should be confirmed before relying on it as a security-review authority.
The packaged metadata differs from the registry metadata shown in the submission, which lists a different owner ID and slug. This is a provenance consistency note, not evidence of malicious behavior.
"ownerId": "kn71j6xbmpwfvx4c6y1ez8cd718081mg", "slug": "skill-vetter"
Verify the registry entry and publisher/source before installation, especially because the skill is intended to guide security decisions.