Security Scan
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent, user-directed local security scanner, but its output can include suspected secrets, so users should handle scan results carefully.
This appears safe to use for its stated purpose. Choose the target directory carefully, review results manually, and avoid posting raw scan output if it includes suspected secrets or private file paths.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will run local shell commands to inspect files in the selected target directory.
The skill instructs the user to run a bundled shell script. This is disclosed and central to the security-scan purpose, but it is still local command execution.
bash scripts/scan.sh /path/to/target
Run it only from the installed skill directory and only against folders you intend to review.
If the target contains real credentials, the scan output may reveal them to anyone who can see the output.
The scanner searches for API-key-like values and prints matching lines. This is purpose-aligned, but real credentials could appear in the terminal, chat transcript, or copied report.
SECRETS=$(grep -rEn 'AIza[0-9A-Za-z_-]{35}|sk-[0-9A-Za-z]{32,}|gsk_[0-9A-Za-z]{16,}|nvapi-[0-9A-Za-z-]{16,}' ...); ... echo "$SECRETS"Treat findings as sensitive, avoid sharing raw output publicly, and rotate any real credentials that are found.
The scan may fail or behave differently on systems without these shell utilities.
The helper depends on Bash, grep, and find, while the registry requirements list no required binaries. These are common local tools and the behavior is visible, so this is a minor dependency-declaration gap rather than a material concern.
#!/bin/bash ... grep -rEn ... find "$TARGET_DIR" -type f -perm -0002
Document Bash, grep, and find as prerequisites if publishing this skill broadly.