Argus Pro — Code Intelligence Scanner
PassAudited by ClawScan on May 10, 2026.
Overview
Argus Pro appears to be a disclosed local code scanner, but users should be careful with its Python package install command, license key, and saved scan outputs.
This skill looks coherent for local Python/JavaScript static analysis. Before installing, use a virtual environment for the dependency install, protect the LICENSE_KEY, set SOURCE_PATH and IGNORE_PATHS to avoid scanning unintended files, and keep any JSON scan reports private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way could affect the local Python environment, especially on systems where Python packages are managed by the operating system.
The skill asks the user/agent to install an unpinned Python package and uses --break-system-packages, which can modify a system-managed Python environment.
pip3 install rich --break-system-packages --quiet
Install in a virtual environment and pin/verify dependencies where possible instead of using --break-system-packages on a system Python.
A license key is a sensitive secret, even though the shown code only checks that it is present and does not show transmission or logging.
The skill requires a license key as an environment variable and checks for it before running.
requires:\n env: [LICENSE_KEY] ... LICENSE_KEY = os.environ.get("LICENSE_KEY","").strip()Store the license key securely, avoid committing it to source control, and review any future version for network use or logging of LICENSE_KEY.
Saved scan reports may reveal sensitive file paths, security issues, or credential-like strings found in the codebase.
The scanner defaults to scanning the current path and saving JSON-style results for CI/trend tracking, which can persist findings derived from local source code.
SRC_PATH = os.environ.get("SOURCE_PATH",".").strip() ... OUTPUT_JSON = os.environ.get("OUTPUT_JSON","true").lower() == "true" ... trend tracking across scansSet SOURCE_PATH and IGNORE_PATHS intentionally, keep generated JSON reports private, and avoid publishing scan artifacts that may contain sensitive findings.