Agent Skills Tools
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local security-audit skill; it runs a readable shell scanner and may print credential-like matches from the directory you choose.
This looks safe to use as a local auditing aid if you run it deliberately on a specific skill directory. Be aware that successful secret-detection findings may display the secret text, so do not paste or share the output publicly without redaction.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user points it at a broad private directory instead of a skill package, file paths and matching lines from more local files could be shown in the audit output.
The scanner recursively inspects a user-supplied or default current directory and can inspect Git history; this is intended for auditing skills, but scope depends entirely on the path used.
SKILL_DIR="${1:-.}" ... find "$SKILL_DIR" ... git -C "$SKILL_DIR" log --all -S "api_key"Run it only on the specific skill package you intend to audit, and avoid using home directories or unrelated project roots as the target.
Real secrets in a scanned package could become visible in the agent transcript or logs while reviewing the audit results.
When the audit finds credential-like strings, it prints matching lines to the output instead of redacting the secret value.
CREDENTIAL_LEAKS=$(find "$SKILL_DIR" ... grep ...); ... echo "$CREDENTIAL_LEAKS"
Treat audit output as sensitive; redact matched values before sharing, or modify the scanner to mask secret values by default.
Users have less publisher/project context to rely on and should base trust on reviewing the included files.
The package has limited external provenance information, although the included script is small and fully visible in the provided artifacts.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Review the visible script before running it and prefer verified publisher/source links when available.