llm-sast-scanner
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a read-only SAST reference skill; the static alerts are vulnerability examples, not active secrets or hidden behavior.
This looks reasonable for a SAST/reference skill. Before installing or invoking it, choose the exact files or repository you want reviewed, avoid sending unrelated private code or secrets, and treat its vulnerability findings as guidance to verify manually.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a full repository, proprietary code or embedded secrets in that repository may be included in the agent's analysis context.
The skill may guide the agent to inspect a broad codebase. This is central to SAST and appears user-directed, but users should intentionally scope what code is reviewed.
Target: single file, directory, API endpoint, module, or full repo
Run it only on files or repositories you intend to review, and avoid including unrelated private material or secrets.
There is less external provenance to help users assess who maintains the security guidance.
The publisher/source provenance is limited. The risk is reduced because this is an instruction-only skill with no install script or executable code.
Source: unknown; Homepage: none
Review the reference content before relying on it for important audits, and prefer trusted publishers when provenance matters.