Snyk Skill Scanner
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only scanner skill is purpose-aligned, but users should notice that it runs an external, unpinned scanner and inspects local agent component files.
Before installing or using this skill, confirm that you trust the snyk-agent-scan package and the uv installation source. Prefer a pinned scanner version if reproducibility matters, and run scans only against agent component directories you intend to inspect.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command may execute a newer version of the scanner than the one previously reviewed or expected.
The skill runs the scanner using an unpinned @latest package, so the exact external code can change between runs. This is disclosed and central to the scanner purpose, but it is still a supply-chain detail users should verify.
uvx snyk-agent-scan@latest --skills
Verify the snyk-agent-scan package/project before use and consider pinning a trusted version instead of using @latest.
The scanner can execute locally and inspect the selected agent component paths.
The artifact explicitly discloses that the skill is meant to execute an external CLI tool. That execution is purpose-aligned for a scanner, but users should understand that local external code will run.
This skill intentionally executes external code (snyk-agent-scan via uvx) for security auditing purposes.
Run the command only when you intend to scan, review the exact command first, and restrict scans to paths you want inspected.