Ai Poison Guard
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool may give users more confidence than warranted, especially for website/source verification that the included code does not perform.
The shipped script only supports local text/file detection and JSON output, while SKILL.md advertises source verification, domain checks, URL detection, and scoring commands. This is not malicious, but users should not rely on unimplemented security claims.
parser.add_argument("--detect-text"...); parser.add_argument("--detect-file"...); parser.add_argument("--json"...)Treat this as a simple heuristic content scanner unless the missing verification features are actually implemented and reviewed.
Installing unnecessary unpinned dependencies can add avoidable supply-chain exposure, although nothing in the artifacts runs this automatically.
The documentation suggests a manual, unpinned package install, but requirements.txt says the current version is pure local detection and the script does not import these packages.
pip3 install requests whois tldextract
Do not install the optional packages unless needed; if future versions require them, prefer pinned versions and reviewed dependency metadata.