ClawHub

Security Scanner

v1.0.0

Automated security scanning and vulnerability detection for web applications, APIs, and infrastructure. Use when you need to scan targets for vulnerabilities, check SSL certificates, find open ports, detect misconfigurations, or perform security audits. Integrates with nmap, nuclei, and other security tools.

1· 8.2k·99 current·100 all-time
bydmx@dmx64
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly expects nmap, nuclei, sslscan, nikto, testssl.sh and similar tools, but the skill metadata lists no required binaries, no install spec, and no primary credential. A legitimate security-scanner skill would normally declare the expected tools or provide an install path; the omission is inconsistent.
Instruction Scope
Instructions are precise command examples for port, vuln, and SSL scanning and include an ethics note. They do not request unrelated files or credentials and do not appear to exfiltrate data, but they assume the agent can run potentially intrusive network-scanning commands — which can be abused if run against unauthorized targets. The guidance does not include runtime checks (e.g., verify authorization) beyond a short ethics bullet.
Install Mechanism
This is instruction-only (no install spec and no code). That's low risk from arbitrary downloads, but also problematic because the SKILL.md depends on external CLI tools and provides no instructions for obtaining or verifying them. If an agent tried to satisfy missing tools automatically, behavior is undefined.
Credentials
The skill requests no environment variables, credentials, or config paths, which is appropriate for a command-line scanning checklist. There is no unexplained secret access requested.
Persistence & Privilege
The skill does not request persistent presence (always: false), does not modify system or other-skill configs, and does not attempt to store credentials. Autonomous invocation is allowed by platform default but is not additionally privileged here.
What to consider before installing
This SKILL.md contains useful, explicit commands for running network and web-application scanners, but the package metadata fails to declare the required tools or provide an install method. Before installing or enabling it: (1) verify the skill's source and trustworthiness (no homepage or known owner info here); (2) ensure the required tools (nmap, nuclei, sslscan, nikto, testssl.sh) are installed from official sources and available in a controlled environment; (3) never run these commands against targets for which you do not have written authorization; (4) prefer a skill that declares required binaries or includes a vetted install step so you know exactly what will be executed; and (5) if you allow autonomous invocation, restrict the agent's network and system permissions to avoid accidental or malicious scanning of unauthorized targets.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rawqzpnaq7b6jr9yk0ep1180ttdr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments