Skillscanner
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent and low-risk, but it works by sending a skill URL to an external scan API and relying on that service's verdict.
This skill appears benign and narrowly scoped. Before installing, understand that it sends the skill URL you provide to https://ai.gendigital.com and bases its recommendation on that service's response; use SAFE results as helpful guidance rather than a complete security guarantee.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The service can learn which ClawHub skill URL you asked to scan, but the artifacts do not show credential, file, or private data access.
The skill directs the agent to make an external HTTP POST request with the skill URL. This is expected for a scan-lookup skill, but users should know a third-party API receives the URL being checked.
curl --request POST --url "https://ai.gendigital.com/api/scan/lookup" ... --data '{"skillUrl":"https://clawhub.ai/AUTHOR/SKILL_SLUG"}'Use it for intended ClawHub skill URLs, and avoid submitting URLs you consider private or sensitive unless you trust the scan provider.
A user or agent may place significant trust in the external scanner's result, even though the skill itself acknowledges possible false negatives.
The skill tells the agent to rely on the API's SAFE verdict, while also disclosing limitations. This is purpose-aligned, but users should not treat a SAFE result as absolute proof of safety.
Proceed only when the verdict is **SAFE**. ... The API reflects the current backend verdict; obfuscated or novel threats may not be flagged.
Treat the scan result as one input to a decision, especially for high-impact skills; continue using least privilege, sandboxing, and manual review when appropriate.