Snyk Skill Scanner
v1.0.0Scan installed agent components (MCP servers, skills, agent tools) for security vulnerabilities using snyk-agent-scan. Use only when running uvx snyk-agent-s...
⭐ 0· 273·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Snyk Skill Scanner) matches the instructions: it tells the agent operator how to run snyk-agent-scan via uvx to scan skills and MCP servers. All declared metadata (no env, no binaries, no install spec) is consistent with an instruction-only scanning helper.
Instruction Scope
SKILL.md stays on-topic: it instructs running uvx snyk-agent-scan against skill and MCP paths and shows expected outputs. It references common skill paths and offers flags like --skills and --json. It explicitly notes that it executes external code (snyk-agent-scan via uvx), which is appropriate for a scanner but expands runtime trust requirements — the user/agent will fetch and run third-party code.
Install Mechanism
There is no formal install spec in the skill, but the docs instruct using uvx to fetch snyk-agent-scan@latest and provide bootstrap instructions for uv that include a curl | sh installer (astral.sh). Both uvx and uv will download/execute external code at runtime; recommending curl | sh is a moderate risk vector. This is expected for a tool that runs external scanners, but users should verify sources and prefer vetted package managers or signed releases.
Credentials
The skill requests no environment variables, no credentials, and no special config paths. That is proportionate for a read-only scanning helper that runs an external scanner and reports findings.
Persistence & Privilege
always:false and no install or file writes are requested by the skill. It does not demand persistent presence or modify other skills' configurations.
Assessment
This skill is coherent for its stated purpose, but it relies on fetching and running third-party tooling at scan time. Before you use it: 1) verify the authenticity of uvx/uv and snyk-agent-scan (check official project pages, release signatures, and the GitHub repository referenced), 2) avoid piping unknown curl scripts into sh — prefer package managers or audited install steps, 3) run scans from a least-privilege or isolated environment if possible, and 4) review scan results carefully before taking automated remediation steps. If you need higher assurance, ask the skill author for a pinned release URL or signed binary rather than using @latest.Like a lobster shell, security has layers — review code before you run it.
latestvk975n3h8pkq7pknqx4w1j42ps1829xjyscanningvk975n3h8pkq7pknqx4w1j42ps1829xjysecurityvk975n3h8pkq7pknqx4w1j42ps1829xjysnykvk975n3h8pkq7pknqx4w1j42ps1829xjy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.