ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OSV Scanner

v1.0.0

Scans Node.js/NPM and Linux packages for known vulnerabilities using the Google OSV API by analyzing dependencies and reporting related CVEs.

0· 765·0 current·0 all-time
byNassi Mohammed@moenassi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (OSV-based vulnerability scanner) align with the files and behavior: scanner.py reads dependency lists, queries api.osv.dev, and writes results to an Excel template. The included package lists (npm/python/linux) match the stated scan targets.
Instruction Scope
SKILL.md instructions are within the claimed scope (create venv, install requests/openpyxl, provide packages files, run scanner.py). The README and SKILL.md instruct the user to rename template/ScanResult.txt to .xlsx — scanner.py expects template/ScanResult.xlsx. This is odd but documented in SKILL.md. No instructions request reading unrelated system secrets or sending data to endpoints other than the OSV API.
Install Mechanism
No automated install spec; this is instruction-only and requires the user to pip-install 'requests' and 'openpyxl' in a venv. No downloads from unknown URLs or archive extraction are present.
Credentials
The skill requires no environment variables, credentials, or config paths. It only posts dependency name/version payloads to the Google OSV API (api.osv.dev), which is expected for this purpose.
Persistence & Privilege
Skill does not request persistent or elevated privileges and is not always-enabled. It does run local shell commands (lsb_release, dpkg-query) to enumerate OS packages when asked to scan the OS — this is within scope for an OS package scanner.
Assessment
This skill is coherent for vulnerability scanning and doesn't ask for secrets, but review and fix before running: 1) scanner.py has a clear bug in the npm branch: the f-string lines.append(f'{name}=={version.split('^')[1]}') uses conflicting quotes and will cause a syntax error (and will break for versions without '^'). Fix by stripping '^' or using version.lstrip('^') and proper quoting. 2) SKILL.md asks you to rename template/ScanResult.txt → template/ScanResult.xlsx because the script expects the .xlsx path; do that or change TEMPLATE_PATH. 3) The script uses subprocess(shell=True) for static commands (lsb_release, dpkg-query) — these are reasonable for enumerating OS packages but avoid running the script on systems with sensitive data or where you do not trust included files. 4) The script POSTs package info to api.osv.dev (expected); if you need to avoid sending data externally, do not run it or modify it to use a local DB. 5) As always, run untrusted scripts in an isolated environment (container or VM), inspect/patch the code (npm branch and error handling) before use, and verify the template/header ('MachineA') matches your expected spreadsheet format.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avykwfk3pb6w46cd29q1b5581fphs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments