Sovereign Project Guardian
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only project audit skill, but users should know it may inspect project files for secrets and suggest local audit commands.
This skill appears safe to install as an instruction-only project auditor. Before using it, decide whether the agent may read the whole target repository, request redaction of any discovered secrets, and approve any suggested audit commands before they run.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the project contains real secrets, the agent may display them in its response unless asked to redact values.
The example report shows secret values being included directly in audit output; in real use, discovered credentials could enter the agent conversation or generated report.
`src/db.js:3` contains database password: "dbpass123"
Use this only on projects you intend the agent to inspect, and ask it to report secret type and location while masking the actual secret value.
Suggested audit commands may inspect local project files or make network requests if the agent is allowed to run them.
The methodology contemplates dependency-audit tooling, which is normal for this purpose but may read project manifests or contact package/security services.
Are there known vulnerable dependencies? (recommend running `npm audit`, `pip-audit`, `govulncheck`, `cargo audit`)
Approve audit commands explicitly and run them only in the intended project directory.