Skill Security Audit

The skill's files, instructions, and bundled scanner are consistent with a pre-install security audit tool; requested access is proportional and there is no evidence it tries to do anything outside that scope.

This skill is internally coherent and behaves like a static code scanner for ClawHub skills. Before running it, you should: (1) quickly review scripts/scan_skill.py to confirm it only reads files and downloads skill zips (it does) and does not execute scanned code; (2) run the scanner in a restricted environment or sandbox if you are uncomfortable letting it download arbitrary skill packages for analysis; and (3) be cautious about following any copy-paste terminal commands shown inside a scanned skill's SKILL.md — the auditor flags such instructions as high risk. The pre-scan flagged prompt-injection phrases, but those appear as examples to detect rather than live directives.